Pentaho BI Server Multiple Vulnerabilities

The host is running Pentaho BI Server and is prone to multiple vulnerabilities.
Successful exploitation will allow attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or obtain sensitive information. Impact Level: Application
Upgrade to Pentaho BI Server 3.5.0 GA or later, For updates refer to
- Input passed via the 'outputType' parameter to ViewAction is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. - Password field with autocomplete enabled, which might allow physically proximate attackers to obtain the password. - Disclosure of session ID (JSESSIONID) in URL, which allows attackers to obtain it from session history, referer headers, or sniffing of web traffic.
Pentaho BI Server version and prior.