CVE-2025-0757
Description
Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
Impact
Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2 contain a stored XSS vulnerability in the Analyzer plugin interface, allowing attackers to execute malicious scripts.
Vulnerability
Overview CVE-2025-0757 is a cross-site scripting (XSS) vulnerability in Hitachi Vantara Pentaho Business Analytics Server, affecting versions prior to 10.2.0.2, including all 9.3.x and 8.3.x releases. The software fails to properly neutralize user-controllable input in the Analyzer plugin interface, allowing a malicious URL to inject arbitrary web script or HTML (CWE-79) [1].
Exploitation
An attacker can craft a specially crafted URL that, when accessed by a victim, injects malicious content into the Analyzer plugin interface. The vulnerability does not require authentication beyond the victim's existing session, and the victim must click a crafted link or visit a compromised page hosting the exploit [1].
Impact
Successful exploitation enables the attacker to steal sensitive information, such as session cookies, from the victim's browser. The attacker can also perform actions on behalf of the victim, including sending malicious requests to the server. If the victim has administrative privileges, this could lead to full compromise of the affected Pentaho instance [1].
Mitigation
The vendor recommends immediate removal of the Analyzer plugin from the software installation as a workaround, and upgrading to Pentaho Business Analytics Server version 10.2.0.2 or later where the vulnerability is fixed. Organizations should also review the Pentaho End-of-Life policy to ensure they are on a supported version [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <10.2.0.2 (including 9.3.x and 8.3.x)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.