CVE-2023-5562

Name of the Vulnerable Software and Affected Versions KNIME Analytics Platform versions prior to 5.2.0

Description The issue is related to an unsafe default configuration that allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub, several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript, this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be activated.

Recommendations For versions prior to 5.2.0, add the corresponding settings to the executor's knime.ini to enable sanitization of data. KNIME Analytics Platform 5.2.0 will enable sanitization by default, so updating to this version or later will resolve the issue.