VYPR

Vendor CVEs

Pentaho

All CVEs

22 total · sorted by risk
  • CVE-2022-43773HigApr 3, 2023
    risk 0.59cvss 8.8epss 0.22

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. 

  • CVE-2025-9121HigDec 15, 2025
    risk 0.57cvss 8.8epss 0.00

    Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.

  • CVE-2024-5705HigFeb 19, 2025
    risk 0.57cvss 8.8epss 0.00

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863)     Hitachi Vantara Pentaho Business…

  • CVE-2022-43940HigApr 3, 2023
    risk 0.57cvss 8.8epss 0.01

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. 

  • CVE-2024-37359HigFeb 19, 2025
    risk 0.56cvss 8.6epss 0.00

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics…

  • CVE-2022-4815HigMay 24, 2023
    risk 0.52cvss 8.0epss 0.01

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. 

  • CVE-2021-45447HigNov 2, 2022
    risk 0.50cvss 7.7epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.   The transmission of sensitive data in clear text allows unauthorized actors with access to the…

  • CVE-2021-45448HigNov 2, 2022
    risk 0.46cvss 7.1epss 0.01

    Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a…

  • CVE-2022-3695MedApr 11, 2023
    risk 0.42cvss 6.5epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.   

  • CVE-2026-2254MedMay 27, 2026
    risk 0.41cvss 6.3epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

  • CVE-2022-3960MedApr 3, 2023
    risk 0.41cvss 6.3epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. 

  • CVE-2024-45754HigOct 11, 2024
    risk 0.40cvss 7.2epss 0.00

    An issue was discovered in the centreon-bi-server component in Centreon BI Server 24.04.x before 24.04.3, 23.10.x before 23.10.8, 23.04.x before 23.04.11, and 22.10.x before 22.10.11. SQL injection can occur in the listing of configured reporting jobs. Exploitation is only…

  • CVE-2021-45446MedNov 2, 2022
    risk 0.33cvss 5.0epss 0.00

    A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder.  This directory listing provides an attacker with the complete index of all the resources…

  • CVE-2024-37360MedFeb 19, 2025
    risk 0.29cvss 4.4epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a…

  • CVE-2023-1158MedMay 24, 2023
    risk 0.28cvss 4.3epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 

  • CVE-2022-4769MedApr 3, 2023
    risk 0.28cvss 4.3epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. 

  • CVE-2022-43772LowApr 3, 2023
    risk 0.25cvss 3.8epss 0.00

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs. 

  • CVE-2006-5675Nov 3, 2006
    risk 0.03cvss epss 0.01

    Multiple unspecified vulnerabilities in Pentaho Business Intelligence (BI) Suite before 1.2 RC3 (1.2.0.470-RC3) have unknown impact and attack vectors, related to "MySQL Scripts need changes for security," possibly SQL injection vulnerabilities associated with these scripts.

  • CVE-2015-6940Sep 22, 2015
    risk 0.00cvss epss 0.02

    The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote…

  • CVE-2009-5101Sep 13, 2011
    risk 0.00cvss epss 0.01

    Pentaho BI Server 1.7.0.1062 and earlier includes the session ID (JSESSIONID) in the URL, which allows attackers to obtain it from session history, referer headers, or sniffing of web traffic.

  • CVE-2009-5100Sep 13, 2011
    risk 0.00cvss epss 0.00

    Pentaho BI Server 1.7.0.1062 and earlier does not set the autocomplete tag to off on web pages using a password field, which might allow physically proximate attackers to obtain the password.

  • CVE-2009-5099Sep 13, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in ViewAction in Pentaho BI Server 1.7.0.1062 and earlier allows remote attackers to inject arbitrary web script or HTML via the outputType parameter.