Summary
The host is running Pentaho BI Server and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or obtain sensitive information.
Impact Level: Application
Solution
Upgrade to Pentaho BI Server 3.5.0 GA or later,
For updates refer to http://www.pentaho.com/download/
Insight
- Input passed via the 'outputType' parameter to ViewAction is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
- Password field with autocomplete enabled, which might allow physically proximate attackers to obtain the password.
- Disclosure of session ID (JSESSIONID) in URL, which allows attackers to obtain it from session history, referer headers, or sniffing of web traffic.
Affected
Pentaho BI Server version 1.7.0.1062 and prior.
References
- http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
- http://jira.pentaho.com/browse/BISERVER-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
- http://secunia.com/advisories/37024
- http://www.securityfocus.com/archive/1/archive/1/507168/100/0/threaded
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2009-5099, CVE-2009-5100, CVE-2009-5101 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities