Eng: >> Knowage >> 6.2.2 Security Vulnerabilities
Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-04-05
In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.
CVSS Score
9.8
EPSS Score
0.037
Published
2019-09-05
In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-28
In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
CVSS Score
8.8
EPSS Score
0.012
Published
2019-08-28
Page 2