CVE-2025-0757

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2, including 9.3.x and 8.3.x

Description The software does not properly neutralize user-controllable input before it is placed in output that is used as a web page, allowing a malicious URL to inject content into the Analyzer plugin interface. This can lead to malicious activities, such as transferring private information, including cookies with session information, from the victim's machine to the attacker. The attacker can also send malicious requests to a website on behalf of the victim, potentially exploiting administrator privileges.

Recommendations For versions prior to 10.2.0.2, including 9.3.x and 8.3.x, update to version 10.2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Analyzer plugin interface until a patch is available. Avoid using malicious or untrusted URLs in the Analyzer plugin interface to minimize the risk of exploitation.