Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability

The vulnerability is a cross-site scripting (XSS) flaw in Hitachi Vantara Pentaho Business Analytics Server. It stems from improper neutralization of user-controllable input before it is placed in output used as a web page served to other users (CWE-79) [1]. Specifically, a malicious URL can inject content into the Pentaho User Console through session variables. Affected versions include all versions prior to 9.4.0.1 and 9.3.0.2, including the 8.3.x series.

Exploitation

An attacker can craft a malicious URL containing the injected payload and trick a victim into clicking it via social engineering or by embedding the URL in other content [1]. No special privileges or network position are required; the attacker only needs to convince a user to visit the crafted link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser [1]. This can lead to theft of sensitive information such as cookies (including session tokens), performing actions on behalf of the victim, and defacement. If the victim has administrative privileges, the attacker could gain control over the entire Pentaho instance.

Mitigation

Hitachi Vantara recommends upgrading to Pentaho version 9.4.0.1 or 9.3.0.2, which contain the fix for this vulnerability [1]. Users on unsupported versions should update to a supported release. No workaround is provided.