ENG : Security Vulnerabilities, CVEs, CVSS score >= 8
Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8.
Max CVSS
9.9
EPSS Score
0.08%
Published
2023-08-04
Updated
2023-08-09
A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report.
Max CVSS
8.8
EPSS Score
0.10%
Published
2021-04-05
Updated
2021-04-08
In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
Max CVSS
8.8
EPSS Score
0.13%
Published
2019-08-28
Updated
2020-08-24
In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.
Max CVSS
9.8
EPSS Score
0.60%
Published
2019-09-05
Updated
2020-08-24
Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, aka "XSS File Upload."
Max CVSS
8.0
EPSS Score
1.56%
Published
2019-11-22
Updated
2019-12-04
SpagoBI before 4.1 has Privilege Escalation via an error in the AdapterHTTP script
Max CVSS
9.0
EPSS Score
7.46%
Published
2020-01-10
Updated
2020-01-21
6 vulnerabilities found