CVE-2024-37360 (GCVE-0-2024-37360)

Vulnerability from cvelistv5 – Published: 2025-02-19 23:01 – Updated: 2025-02-20 17:22
VLAI?
Title
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.   Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
Severity ?
4.4 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Hitachi Vantara Pentaho Data Integration & Analytics Affected: 10.0 , < 10.2.0.0 (maven)
Create a notification for this product.
Credits
Hitachi Group Member
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37360",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-20T17:21:56.788347Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-20T17:22:08.769Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pentaho Data Integration \u0026 Analytics",
          "vendor": "Hitachi Vantara",
          "versions": [
            {
              "lessThan": "10.2.0.0",
              "status": "affected",
              "version": "10.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pentaho Business Analytics Server",
          "vendor": "Hitachi Vantara",
          "versions": [
            {
              "lessThan": "9.3.0.9",
              "status": "affected",
              "version": "1.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hitachi Group Member"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eHitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThe software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eHitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim\u0027s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) \n\n\n\n\u00a0\n\n\n\nThe software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.\n\n\n\n\u00a0\n\n\n\n\nOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim\u0027s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-19T23:01:41.632Z",
        "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "shortName": "HITVAN"
      },
      "references": [
        {
          "url": "https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-CVE-2024-37360"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
    "assignerShortName": "HITVAN",
    "cveId": "CVE-2024-37360",
    "datePublished": "2025-02-19T23:01:41.632Z",
    "dateReserved": "2024-06-06T15:36:41.049Z",
    "dateUpdated": "2025-02-20T17:22:08.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37360\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-20T17:21:56.788347Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-20T17:22:05.493Z\"}}], \"cna\": {\"title\": \"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Hitachi Group Member\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Hitachi Vantara\", \"product\": \"Pentaho Data Integration \u0026 Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.0\", \"lessThan\": \"10.2.0.0\", \"versionType\": \"maven\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Hitachi Vantara\", \"product\": \"Pentaho Business Analytics Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"lessThan\": \"9.3.0.9\", \"versionType\": \"maven\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-CVE-2024-37360\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) \\n\\n\\n\\n\\u00a0\\n\\n\\n\\nThe software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)\\n\\n\\n\\n\\u00a0\\n\\n\\n\\nHitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.\\n\\n\\n\\n\\u00a0\\n\\n\\n\\n\\nOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim\u0027s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cp\u003eHitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eThe software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eHitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim\u0027s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"dce6e192-ff49-4263-9134-f0beccb9bc13\", \"shortName\": \"HITVAN\", \"dateUpdated\": \"2025-02-19T23:01:41.632Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-37360\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-20T17:22:08.769Z\", \"dateReserved\": \"2024-06-06T15:36:41.049Z\", \"assignerOrgId\": \"dce6e192-ff49-4263-9134-f0beccb9bc13\", \"datePublished\": \"2025-02-19T23:01:41.632Z\", \"assignerShortName\": \"HITVAN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.