Vulnerability Details CVE-2022-39295
Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.2%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206
- https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw
- https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206
- https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw
Products affected by CVE-2022-39295
-
cpe:2.3:a:eng:knowage:6.1.0
-
cpe:2.3:a:eng:knowage:6.1.1
-
cpe:2.3:a:eng:knowage:6.1.2
-
cpe:2.3:a:eng:knowage:6.1.3
-
cpe:2.3:a:eng:knowage:6.1.4
-
cpe:2.3:a:eng:knowage:6.1.5
-
cpe:2.3:a:eng:knowage:6.1.6
-
cpe:2.3:a:eng:knowage:6.2.0
-
cpe:2.3:a:eng:knowage:6.2.1
-
cpe:2.3:a:eng:knowage:6.2.2
-
cpe:2.3:a:eng:knowage:6.2.3
-
cpe:2.3:a:eng:knowage:6.2.4
-
cpe:2.3:a:eng:knowage:6.3.0
-
cpe:2.3:a:eng:knowage:6.3.1
-
cpe:2.3:a:eng:knowage:6.3.2
-
cpe:2.3:a:eng:knowage:6.3.3
-
cpe:2.3:a:eng:knowage:6.4
-
cpe:2.3:a:eng:knowage:6.4.0
-
cpe:2.3:a:eng:knowage:6.4.1
-
cpe:2.3:a:eng:knowage:6.4.2
-
cpe:2.3:a:eng:knowage:6.4.3
-
cpe:2.3:a:eng:knowage:7.0.0
-
cpe:2.3:a:eng:knowage:7.3.0
-
cpe:2.3:a:eng:knowage:7.4
-
cpe:2.3:a:eng:knowage:7.4.1
-
cpe:2.3:a:eng:knowage:7.4.10
-
cpe:2.3:a:eng:knowage:7.4.11
-
cpe:2.3:a:eng:knowage:7.4.12
-
cpe:2.3:a:eng:knowage:7.4.13
-
cpe:2.3:a:eng:knowage:7.4.14
-
cpe:2.3:a:eng:knowage:7.4.15
-
cpe:2.3:a:eng:knowage:7.4.16
-
cpe:2.3:a:eng:knowage:7.4.17
-
cpe:2.3:a:eng:knowage:7.4.18
-
cpe:2.3:a:eng:knowage:7.4.19
-
cpe:2.3:a:eng:knowage:7.4.2
-
cpe:2.3:a:eng:knowage:7.4.20
-
cpe:2.3:a:eng:knowage:7.4.21
-
cpe:2.3:a:eng:knowage:7.4.3
-
cpe:2.3:a:eng:knowage:7.4.4
-
cpe:2.3:a:eng:knowage:7.4.5
-
cpe:2.3:a:eng:knowage:7.4.6
-
cpe:2.3:a:eng:knowage:7.4.7
-
cpe:2.3:a:eng:knowage:7.4.8
-
cpe:2.3:a:eng:knowage:7.4.9
-
cpe:2.3:a:eng:knowage:8.0.0
-
cpe:2.3:a:eng:knowage:8.0.1
-
cpe:2.3:a:eng:knowage:8.0.2
-
cpe:2.3:a:eng:knowage:8.0.3
-
cpe:2.3:a:eng:knowage:8.0.4
-
cpe:2.3:a:eng:knowage:8.0.5
-
cpe:2.3:a:eng:knowage:8.0.6
-
cpe:2.3:a:eng:knowage:8.0.7
-
cpe:2.3:a:eng:knowage:8.0.8