CVE-2024-37360

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x

Description The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. This allows a malicious URL to inject content into the Analyzer plugin interface. Once the malicious script is injected, the attacker can perform a variety of malicious activities, such as transferring private information, like cookies that may include session information, from the victim's machine to the attacker, or sending malicious requests to a web site on behalf of the victim.

Recommendations For Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x, update to version 10.2.0.0 or 9.3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Analyzer plugin interface until a patch is available. Avoid using malicious URLs that could inject content into the Analyzer plugin interface.