CVE Vulnerability

CVE-2022-39295

Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw Third Party Advisory
https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:eng:knowage:*:*:*:*:*:*:*:*
cpe:2.3:a:eng:knowage:*:*:*:*:*:*:*:*
Information

Published : 2022-10-13 11:15

Updated : 2022-10-17 01:30

NVD link : CVE-2022-39295

Mitre link : CVE-2022-39295

Products Affected
No products.
CWE
CWE-79