Show filters
1,441 Total Results
Displaying 51-60 of 1,441
Sort by:
Attacker Value
Unknown

CVE-2024-37360

Disclosure Date: February 19, 2025 (last updated February 27, 2025)
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.   Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
0
Attacker Value
Unknown

CVE-2024-37359

Disclosure Date: February 19, 2025 (last updated February 27, 2025)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.   By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
0
Attacker Value
Unknown

CVE-2025-24615

Disclosure Date: February 14, 2025 (last updated February 27, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2.
0
Attacker Value
Unknown

CVE-2025-25145

Disclosure Date: February 07, 2025 (last updated February 27, 2025)
Cross-Site Request Forgery (CSRF) vulnerability in jordan.hatch Infusionsoft Analytics allows Cross Site Request Forgery. This issue affects Infusionsoft Analytics: from n/a through 2.0.
0
Attacker Value
Unknown

CVE-2024-49352

Disclosure Date: February 05, 2025 (last updated February 27, 2025)
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
0
Attacker Value
Unknown

CVE-2024-49834

Disclosure Date: February 03, 2025 (last updated February 27, 2025)
Memory corruption while power-up or power-down sequence of the camera sensor.
Attacker Value
Unknown

CVE-2024-38420

Disclosure Date: February 03, 2025 (last updated February 27, 2025)
Memory corruption while configuring a Hypervisor based input virtual device.
Attacker Value
Unknown

CVE-2025-23591

Disclosure Date: February 03, 2025 (last updated February 27, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blu Logistics Pte. Ltd. blu Logistics allows Reflected XSS. This issue affects blu Logistics: from n/a through 1.0.0.
0
Attacker Value
Unknown

CVE-2024-13221

Disclosure Date: January 31, 2025 (last updated March 15, 2025)
The Fantastic ElasticSearch WordPress plugin through 4.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
0
Attacker Value
Unknown

CVE-2023-38009

Disclosure Date: January 26, 2025 (last updated February 27, 2025)
IBM Cognos Mobile Client 1.1 iOS may be vulnerable to information disclosure through man in the middle techniques due to the lack of certificate pinning.