Eng

eng

29 CVEs • 2 products

Products (2)

Click to collapse

Toggle

CVEs (29)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-6234 1Eng 1Spagobi Nov 21, 2024 Nov 22, 2019 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a...Show more Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, aka "XSS File Upload."Show less
CVE-2019-13188 1Eng 1Knowage Nov 21, 2024 Sep 5, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.
CVE-2019-13190 1Eng 1Knowage Nov 21, 2024 Sep 5, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page.
CVE-2019-13348 1Eng 1Knowage Nov 21, 2024 Aug 28, 2019 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
CVE-2019-13189 1Eng 1Knowage Nov 21, 2024 Aug 28, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.
CVE-2018-12355 1Eng 1Knowage Nov 21, 2024 Jun 13, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or description field to the "Olap Schemas' Catalogue" catalogue.
CVE-2014-7296 1Eng 1Spagobi May 6, 2026 Oct 8, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The default configuration in the accessibility engine in SpagoBI 5.0.0 does not set FEATURE_SECURE_PROCESSING, which allows remote authenticated users to execute arbitrary Java code via a crafted XSL document.
CVE-2013-6233 1Eng 1Spagobi May 6, 2026 Mar 9, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata."
CVE-2013-6232 1Eng 1Spagobi May 6, 2026 Mar 9, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page.