VYPR

Pentaho Business Analytics

by Hitachi

CVEs (38)

  • CVE-2024-37361CriFeb 20, 2025
    risk 0.64cvss 9.9epss 0.00

    The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without…

  • CVE-2024-5705HigFeb 19, 2025
    risk 0.57cvss 8.8epss 0.00

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863)     Hitachi Vantara Pentaho Business…

  • CVE-2016-10701HigNov 28, 2017
    risk 0.57cvss 8.8epss 0.01

    In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.

  • CVE-2024-37359HigFeb 19, 2025
    risk 0.56cvss 8.6epss 0.00

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics…

  • CVE-2024-6697MedFeb 20, 2025
    risk 0.42cvss 6.5epss 0.00

    The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)   …

  • CVE-2024-37363MedFeb 20, 2025
    risk 0.42cvss 6.5epss 0.00

    The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)  Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an…

  • CVE-2025-0758MedApr 16, 2025
    risk 0.40cvss 6.1epss 0.00

    Overview  The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732)  Description  Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2,…

  • CVE-2025-24911MedApr 16, 2025
    risk 0.32cvss 4.9epss 0.00

    Overview   XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is…

  • CVE-2025-24910MedApr 16, 2025
    risk 0.32cvss 4.9epss 0.00

    Overview   XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is…

  • CVE-2024-6696MedFeb 20, 2025
    risk 0.32cvss 4.9epss 0.00

    The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control…

  • CVE-2025-24909MedApr 16, 2025
    risk 0.29cvss 4.4epss 0.00

    Overview   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Description   Hitachi Vantara Pentaho Business Analytics…

  • CVE-2025-0757MedApr 16, 2025
    risk 0.29cvss 4.4epss 0.00

    Overview   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Description   Hitachi Vantara Pentaho Business Analytics Server…

  • CVE-2024-37360MedFeb 19, 2025
    risk 0.29cvss 4.4epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a…

  • CVE-2022-43769KEVApr 3, 2023
    risk 0.23cvss epss 0.98

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

  • CVE-2022-43939KEVApr 3, 2023
    risk 0.22cvss epss 0.92

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

  • CVE-2021-34684Nov 8, 2021
    risk 0.02cvss epss 0.06

    Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.

  • CVE-2024-28984Jun 26, 2024
    risk 0.00cvss epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.

  • CVE-2024-28983Jun 26, 2024
    risk 0.00cvss epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.

  • CVE-2024-28982Jun 26, 2024
    risk 0.00cvss epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

  • CVE-2023-2358Sep 26, 2023
    risk 0.00cvss epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. 

Page 1 of 2