CVE-2024-28983 - OpenCVE

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hitachi	Business Analytics Server

Configuration 1 [-]

OR	cpe:2.3:a:hitachi:business_analytics_server::::::::
	cpe:2.3:a:hitachi:business_analytics_server::::::::

No data.

References

Link	Providers
https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983

History

Wed, 18 Sep 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hitachi Hitachi business Analytics Server
CPEs		cpe:2.3:a:hitachi:business_analytics_server::::::::
Vendors & Products		Hitachi Hitachi business Analytics Server

MITRE

Status: PUBLISHED

Assigner: HITVAN

Published: 2024-06-26T22:40:15.645Z

Updated: 2024-09-11T23:40:00.607Z

Reserved: 2024-03-13T19:18:14.913Z

Link: CVE-2024-28983

Vulnrichment

Updated: 2024-08-02T01:03:51.428Z

NVD

Status : Analyzed

Published: 2024-06-26T23:15:19.597

Modified: 2024-09-18T14:36:16.267

Link: CVE-2024-28983

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28983", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "state": "PUBLISHED", "assignerShortName": "HITVAN", "dateReserved": "2024-03-13T19:18:14.913Z", "datePublished": "2024-06-26T22:40:15.645Z", "dateUpdated": "2024-09-11T23:40:00.607Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pentaho Business Analytics Server", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "9.3.0.7", "status": "affected", "version": "1.0", "versionType": "maven"}, {"lessThan": "10.1.0.0", "status": "affected", "version": "8.3", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yesenia Trejo - Strike Security"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>"}], "value": "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2024-09-11T23:40:00.607Z"}, "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983"}], "source": {"discovery": "UNKNOWN"}, "title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-27T14:48:05.798742Z", "id": "CVE-2024-28983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-27T14:48:13.210Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.428Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.428Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-27T14:48:05.798742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-27T14:48:09.309Z"}}], "cna": {"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Yesenia Trejo - Strike Security"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Vantara", "product": "Pentaho Business Analytics Server", "versions": [{"status": "affected", "version": "1.0", "lessThan": "9.3.0.7", "versionType": "maven"}, {"status": "affected", "version": "8.3", "lessThan": "10.1.0.0", "versionType": "maven"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2024-09-11T23:40:00.607Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28983", "state": "PUBLISHED", "dateUpdated": "2024-09-11T23:40:00.607Z", "dateReserved": "2024-03-13T19:18:14.913Z", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "datePublished": "2024-06-26T22:40:15.645Z", "assignerShortName": "HITVAN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachi:business_analytics_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B123B7B-28AF-4B23-B6BC-0E4ECA161759", "versionEndExcluding": "9.3.0.7", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hitachi:business_analytics_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7648F088-BF64-4A98-9CE5-9D5AD2B740CE", "versionEndExcluding": "10.1.0.0", "versionStartIncluding": "9.3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface."}, {"lang": "es", "value": "Hitachi Vantara Pentaho Business Analytics Server anterior a las versiones 10.1.0.0 y 9.3.0.7, incluida la 8.3.x, permite que una URL maliciosa inyecte contenido en la interfaz del complemento del analizador."}], "id": "CVE-2024-28983", "lastModified": "2024-09-18T14:36:16.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}, "published": "2024-06-26T23:15:19.597", "references": [{"source": "security.vulnerabilities@hitachivantara.com", "tags": ["Vendor Advisory"], "url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983"}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}