Hitachi Vantara Pentaho Business Analytics Server Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x. The issue arises from improper neutralization of user-controllable input before it is output as a web page, allowing malicious URLs to inject content into the Analyzer plugin interface. This injection could enable attackers to execute various malicious activities, such as stealing private information like cookies containing session data or sending harmful requests to websites on behalf of the victim, particularly if the victim holds administrative privileges on the site.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts can be executed in the context of the user, potentially leading to theft of session cookies or execution of actions on behalf of the user on other websites.