Search
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38702 | 1 Eng | 1 Knowage | 2023-08-09 | N/A | 8.8 HIGH |
| Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8. | |||||
| CVE-2021-30055 | 1 Eng | 1 Knowage | 2021-04-08 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report. | |||||
| CVE-2019-13348 | 1 Eng | 1 Knowage | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases. | |||||