Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Knowage
(Eng)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 18 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-07-03 | CVE-2023-36819 | Knowage is the professional open source suite for modern business analytics over traditional sources and big data systems. The endpoint `_/knowage/restful-services/dossier/importTemplateFile_` allows authenticated users to download template hosted on the server. However, starting in the 6.x.x branch and prior to version 8.1.8, the application does not sanitize the `_templateName_ `parameter allowing an attacker to use `*../*` in it, and escaping the directory the template are normally placed... | Knowage | 6.5 | ||
| 2023-07-14 | CVE-2023-37472 | Knowage is an open source suite for business analytics. The application often use user supplied data to create HQL queries without prior sanitization. An attacker can create specially crafted HQL queries that will break subsequent SQL queries generated by the Hibernate engine. The endpoint `_/knowage/restful-services/2.0/documents/listDocument_` calls the `_countBIObjects_` method of the `_BIObjectDAOHibImpl_` object with the user supplied `_label_` parameter without prior sanitization. This... | Knowage | 6.5 | ||
| 2023-08-04 | CVE-2023-38702 | Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker... | Knowage | 8.8 | ||
| 2018-06-13 | CVE-2018-12355 | Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or description field to the "Olap Schemas' Catalogue" catalogue. | Knowage | N/A | ||
| 2019-09-05 | CVE-2019-13190 | In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. | Knowage | 5.3 | ||
| 2019-09-05 | CVE-2019-13188 | In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. | Knowage | 9.8 | ||
| 2019-08-28 | CVE-2019-13348 | In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases. | Knowage | 8.8 | ||
| 2019-08-28 | CVE-2019-13189 | In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page. | Knowage | 6.1 |