The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. (CWE-96)
Hitachi Vantara Pentaho Business Analytics Server versions before 220.127.116.11 and 18.104.22.168, including 8.3.x impacted.
Hitachi Vantara Pentaho Business Analytics Server prior to versions 22.214.171.124 and 126.96.36.199, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.
Using such scripts, an authenticated user with sufficient publishing privileges can embed scripts and run arbitrary code on the clients. By default, there is no option to prevent the execution of the included scripts.
The defect can be mitigated now by removing the CDE plugin.
We recommend you upgrade to Hitachi Vantara Pentaho Business Analytics Server version 9.3 (Long Term Support Release) with 188.8.131.52 or newer applied, or the latest 9.4 release with 184.108.40.206 or newer.
Please review the Pentaho End-of-Life policy to ensure you are up to date.
This issue is logged under JIRA PPP-4798