Vulnerability Details CVE-2022-39295
Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 40.6%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206
- https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw
- https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206
- https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw
Products affected by CVE-2022-39295
-
cpe:2.3:a:eng:knowage:6.1.0
-
cpe:2.3:a:eng:knowage:6.1.1
-
cpe:2.3:a:eng:knowage:6.1.2
-
cpe:2.3:a:eng:knowage:6.1.3
-
cpe:2.3:a:eng:knowage:6.1.4
-
cpe:2.3:a:eng:knowage:6.1.5
-
cpe:2.3:a:eng:knowage:6.1.6
-
cpe:2.3:a:eng:knowage:6.2.0
-
cpe:2.3:a:eng:knowage:6.2.1
-
cpe:2.3:a:eng:knowage:6.2.2
-
cpe:2.3:a:eng:knowage:6.2.3
-
cpe:2.3:a:eng:knowage:6.2.4
-
cpe:2.3:a:eng:knowage:6.3.0
-
cpe:2.3:a:eng:knowage:6.3.1
-
cpe:2.3:a:eng:knowage:6.3.2
-
cpe:2.3:a:eng:knowage:6.3.3
-
cpe:2.3:a:eng:knowage:6.4
-
cpe:2.3:a:eng:knowage:6.4.0
-
cpe:2.3:a:eng:knowage:6.4.1
-
cpe:2.3:a:eng:knowage:6.4.2
-
cpe:2.3:a:eng:knowage:6.4.3
-
cpe:2.3:a:eng:knowage:7.0.0
-
cpe:2.3:a:eng:knowage:7.3.0
-
cpe:2.3:a:eng:knowage:7.4
-
cpe:2.3:a:eng:knowage:7.4.1
-
cpe:2.3:a:eng:knowage:7.4.10
-
cpe:2.3:a:eng:knowage:7.4.11
-
cpe:2.3:a:eng:knowage:7.4.12
-
cpe:2.3:a:eng:knowage:7.4.13
-
cpe:2.3:a:eng:knowage:7.4.14
-
cpe:2.3:a:eng:knowage:7.4.15
-
cpe:2.3:a:eng:knowage:7.4.16
-
cpe:2.3:a:eng:knowage:7.4.17
-
cpe:2.3:a:eng:knowage:7.4.18
-
cpe:2.3:a:eng:knowage:7.4.19
-
cpe:2.3:a:eng:knowage:7.4.2
-
cpe:2.3:a:eng:knowage:7.4.20
-
cpe:2.3:a:eng:knowage:7.4.21
-
cpe:2.3:a:eng:knowage:7.4.3
-
cpe:2.3:a:eng:knowage:7.4.4
-
cpe:2.3:a:eng:knowage:7.4.5
-
cpe:2.3:a:eng:knowage:7.4.6
-
cpe:2.3:a:eng:knowage:7.4.7
-
cpe:2.3:a:eng:knowage:7.4.8
-
cpe:2.3:a:eng:knowage:7.4.9
-
cpe:2.3:a:eng:knowage:8.0.0
-
cpe:2.3:a:eng:knowage:8.0.1
-
cpe:2.3:a:eng:knowage:8.0.2
-
cpe:2.3:a:eng:knowage:8.0.3
-
cpe:2.3:a:eng:knowage:8.0.4
-
cpe:2.3:a:eng:knowage:8.0.5
-
cpe:2.3:a:eng:knowage:8.0.6
-
cpe:2.3:a:eng:knowage:8.0.7
-
cpe:2.3:a:eng:knowage:8.0.8