漏洞标题
不安全的默认设置在 KNIME Server 和 KNIME Business Hub 中允许跨站点脚本攻击
漏洞描述信息
不安全的默认设置可能导致对KNIME Server和KNIME Business Hub的跨站脚本攻击
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub
漏洞描述信息
An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.
KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.
KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Knime Analytics Platform 跨站脚本漏洞
漏洞描述信息
Knime Analytics Platform是瑞士Knime公司的一个免费的开源数据分析、报告和集成平台。 KNIME Analytics Platform 5.2.0 之前版本存在跨站脚本漏洞,该漏洞源于不安全的默认设置允许 KNIME Server 和 KNIME Business Hub 中的跨站脚本攻击。
CVSS信息
N/A
漏洞类别
跨站脚本