CVE-2025-24909

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2 Hitachi Vantara Pentaho Business Analytics Server versions 9.3.x Hitachi Vantara Pentaho Business Analytics Server versions 8.3.x

Description The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. This allows a malicious URL to inject content into the Analyzer plugin interface, enabling an attacker to perform malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim.

Recommendations For versions prior to 10.2.0.2, update to version 10.2.0.2 or later to resolve the issue. For versions 9.3.x and 8.3.x, update to version 10.2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Analyzer plugin interface until a patch is available. Avoid using malicious URLs to prevent injection of content into the Analyzer plugin interface.