cvelistv5 - CVE-2023-5562

CVE-2023-5562 (GCVE-0-2023-5562)

Vulnerability from cvelistv5 – Published: 2023-10-12 19:00 – Updated: 2024-09-18 15:02

Summary

An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks. KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

KNIME

References

URL

Tags

https://www.knime.com/security/advisories#CVE-2023-5562

Impacted products

	Vendor	Product	Version
	KNIME	KNIME Analytics Platform	Affected: 0 , < 5.2.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.813Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5562",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T15:01:52.714683Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T15:02:03.398Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "JavaScript views"
          ],
          "product": "KNIME Analytics Platform",
          "vendor": "KNIME",
          "versions": [
            {
              "lessThan": "5.2.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2023-10-12T19:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eAn unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\"\u003ehttps://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\u003c/a\u003e. However, these are off by default which allows for cross-site scripting attacks.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-12T19:00:54.732Z",
        "orgId": "296541fb-a0e3-4ca7-ab3d-683e666d143e",
        "shortName": "KNIME"
      },
      "references": [
        {
          "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sanitization can be enabled for all affected JavaScript-based views by adding \u003ccode\u003e-Djs.core.sanitize.clientHTML=true\u003c/code\u003e to the executor\u0027s knime.ini. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\"\u003ehttps://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\u003c/a\u003e for more details.\u003cbr\u003e"
            }
          ],
          "value": "Sanitization can be enabled for all affected JavaScript-based views by adding -Djs.core.sanitize.clientHTML=true to the executor\u0027s knime.ini. See  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal  for more details.\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "296541fb-a0e3-4ca7-ab3d-683e666d143e",
    "assignerShortName": "KNIME",
    "cveId": "CVE-2023-5562",
    "datePublished": "2023-10-12T19:00:54.732Z",
    "dateReserved": "2023-10-12T18:31:19.504Z",
    "dateUpdated": "2024-09-18T15:02:03.398Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.2.0\", \"matchCriteriaId\": \"3D912A75-E051-445D-B503-5BB95AB0A802\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\\n\\n\\n\\n\\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\\n\\n\\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Una configuraci\\u00f3n predeterminada insegura en KNIME Analytics Platform anterior a 5.2.0 permite un ataque de Cross-Site Scripting (XSS). Cuando se utiliza KNIME Analytics Platform como ejecutor de KNIME Server o KNIME Business Hub, varios nodos de vista basados en JavaScript no sanitizan los datos que se muestran de forma predeterminada. Si los datos a mostrar contienen JavaScript, este c\\u00f3digo se ejecuta en el navegador y puede realizar cualquier operaci\\u00f3n que el usuario actual pueda realizar de forma silenciosa. KNIME Analytics Platform ya cuenta con opciones de configuraci\\u00f3n con las que se puede activar la sanitizaci\\u00f3n de datos, consulte https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal, https://docs.knime.com/ \\u00faltimo/webportal_admin_guide/index.html#html-sanitizaci\\u00f3n-webportal. Sin embargo, est\\u00e1n desactivados de forma predeterminada, lo que permite ataques de Cross-Site Scripting (XSS). KNIME Analytics Platform 5.2.0 habilitar\\u00e1 la sanitizaci\\u00f3n de forma predeterminada. Para todas las versiones anteriores, recomendamos a los usuarios agregar las configuraciones correspondientes al knime.ini del ejecutor.\"}]",
      "id": "CVE-2023-5562",
      "lastModified": "2024-11-21T08:42:01.327",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@knime.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2023-10-12T20:15:12.583",
      "references": "[{\"url\": \"https://www.knime.com/security/advisories#CVE-2023-5562\", \"source\": \"security@knime.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.knime.com/security/advisories#CVE-2023-5562\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@knime.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@knime.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-5562\",\"sourceIdentifier\":\"security@knime.com\",\"published\":\"2023-10-12T20:15:12.583\",\"lastModified\":\"2024-11-21T08:42:01.327\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\\n\\n\\n\\n\\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\\n\\n\\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Una configuraci\u00f3n predeterminada insegura en KNIME Analytics Platform anterior a 5.2.0 permite un ataque de Cross-Site Scripting (XSS). Cuando se utiliza KNIME Analytics Platform como ejecutor de KNIME Server o KNIME Business Hub, varios nodos de vista basados en JavaScript no sanitizan los datos que se muestran de forma predeterminada. Si los datos a mostrar contienen JavaScript, este c\u00f3digo se ejecuta en el navegador y puede realizar cualquier operaci\u00f3n que el usuario actual pueda realizar de forma silenciosa. KNIME Analytics Platform ya cuenta con opciones de configuraci\u00f3n con las que se puede activar la sanitizaci\u00f3n de datos, consulte https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal, https://docs.knime.com/ \u00faltimo/webportal_admin_guide/index.html#html-sanitizaci\u00f3n-webportal. Sin embargo, est\u00e1n desactivados de forma predeterminada, lo que permite ataques de Cross-Site Scripting (XSS). KNIME Analytics Platform 5.2.0 habilitar\u00e1 la sanitizaci\u00f3n de forma predeterminada. Para todas las versiones anteriores, recomendamos a los usuarios agregar las configuraciones correspondientes al knime.ini del ejecutor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@knime.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@knime.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.0\",\"matchCriteriaId\":\"3D912A75-E051-445D-B503-5BB95AB0A802\"}]}]}],\"references\":[{\"url\":\"https://www.knime.com/security/advisories#CVE-2023-5562\",\"source\":\"security@knime.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.knime.com/security/advisories#CVE-2023-5562\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.knime.com/security/advisories#CVE-2023-5562\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:59:44.813Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-5562\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T15:01:52.714683Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T15:01:58.883Z\"}}], \"cna\": {\"title\": \"Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-63\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-63 Cross-Site Scripting (XSS)\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"KNIME\", \"modules\": [\"JavaScript views\"], \"product\": \"KNIME Analytics Platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.2.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-10-12T19:00:00.000Z\", \"references\": [{\"url\": \"https://www.knime.com/security/advisories#CVE-2023-5562\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Sanitization can be enabled for all affected JavaScript-based views by adding -Djs.core.sanitize.clientHTML=true to the executor\u0027s knime.ini. See  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal  for more details.\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Sanitization can be enabled for all affected JavaScript-based views by adding \u003ccode\u003e-Djs.core.sanitize.clientHTML=true\u003c/code\u003e to the executor\u0027s knime.ini. See \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\\\"\u003ehttps://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\u003c/a\u003e for more details.\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\\n\\n\\n\\n\\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\\n\\n\\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eAn unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\\\"\u003ehttps://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\u003c/a\u003e. However, these are off by default which allows for cross-site scripting attacks.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\u003cbr\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"296541fb-a0e3-4ca7-ab3d-683e666d143e\", \"shortName\": \"KNIME\", \"dateUpdated\": \"2023-10-12T19:00:54.732Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-5562\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-18T15:02:03.398Z\", \"dateReserved\": \"2023-10-12T18:31:19.504Z\", \"assignerOrgId\": \"296541fb-a0e3-4ca7-ab3d-683e666d143e\", \"datePublished\": \"2023-10-12T19:00:54.732Z\", \"assignerShortName\": \"KNIME\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-5562

Vulnerability from fkie_nvd - Published: 2023-10-12 20:15 - Updated: 2024-11-21 08:42

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security@knime.com	https://www.knime.com/security/advisories#CVE-2023-5562	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.knime.com/security/advisories#CVE-2023-5562	Vendor Advisory

Impacted products

	Vendor	Product	Version
	knime	knime_analytics_platform	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D912A75-E051-445D-B503-5BB95AB0A802",
              "versionEndExcluding": "5.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n"
    },
    {
      "lang": "es",
      "value": "Una configuraci\u00f3n predeterminada insegura en KNIME Analytics Platform anterior a 5.2.0 permite un ataque de Cross-Site Scripting (XSS). Cuando se utiliza KNIME Analytics Platform como ejecutor de KNIME Server o KNIME Business Hub, varios nodos de vista basados en JavaScript no sanitizan los datos que se muestran de forma predeterminada. Si los datos a mostrar contienen JavaScript, este c\u00f3digo se ejecuta en el navegador y puede realizar cualquier operaci\u00f3n que el usuario actual pueda realizar de forma silenciosa. KNIME Analytics Platform ya cuenta con opciones de configuraci\u00f3n con las que se puede activar la sanitizaci\u00f3n de datos, consulte https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal, https://docs.knime.com/ \u00faltimo/webportal_admin_guide/index.html#html-sanitizaci\u00f3n-webportal. Sin embargo, est\u00e1n desactivados de forma predeterminada, lo que permite ataques de Cross-Site Scripting (XSS). KNIME Analytics Platform 5.2.0 habilitar\u00e1 la sanitizaci\u00f3n de forma predeterminada. Para todas las versiones anteriores, recomendamos a los usuarios agregar las configuraciones correspondientes al knime.ini del ejecutor."
    }
  ],
  "id": "CVE-2023-5562",
  "lastModified": "2024-11-21T08:42:01.327",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security@knime.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-12T20:15:12.583",
  "references": [
    {
      "source": "security@knime.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
    }
  ],
  "sourceIdentifier": "security@knime.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@knime.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4G9C-4JMR-XRQP

Vulnerability from github – Published: 2023-10-12 21:30 – Updated: 2024-04-04 08:36

Details

KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.

KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-5562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T20:15:12Z",
    "severity": "MODERATE"
  },
  "details": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n",
  "id": "GHSA-4g9c-4jmr-xrqp",
  "modified": "2024-04-04T08:36:21Z",
  "published": "2023-10-12T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5562"
    },
    {
      "type": "WEB",
      "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2023-5562

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-5562

Aliases

CVE-2023-5562

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-5562",
    "id": "GSD-2023-5562"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-5562"
      ],
      "details": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n",
      "id": "GSD-2023-5562",
      "modified": "2023-12-13T01:20:50.745403Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@knime.com",
        "ID": "CVE-2023-5562",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "KNIME Analytics Platform",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "5.2.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "KNIME"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.knime.com/security/advisories#CVE-2023-5562",
            "refsource": "MISC",
            "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      },
      "work_around": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sanitization can be enabled for all affected JavaScript-based views by adding \u003ccode\u003e-Djs.core.sanitize.clientHTML=true\u003c/code\u003e to the executor\u0027s knime.ini. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\"\u003ehttps://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal\u003c/a\u003e for more details.\u003cbr\u003e"
            }
          ],
          "value": "Sanitization can be enabled for all affected JavaScript-based views by adding -Djs.core.sanitize.clientHTML=true to the executor\u0027s knime.ini. See  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal  for more details.\n"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@knime.com",
          "ID": "CVE-2023-5562"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor\u0027s knime.ini.\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.knime.com/security/advisories#CVE-2023-5562",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-10-18T13:00Z",
      "publishedDate": "2023-10-12T20:15Z"
    }
  }
}

WID-SEC-W-2023-2641

Vulnerability from csaf_certbund - Published: 2023-10-12 22:00 - Updated: 2023-10-12 22:00

Summary

KNIME Analytics Platform: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

KNIME Analytics Platform ist eine Open-Source-Software zum für Data Science in Bezug auf das Verständnis von Daten und das Design von Data Science Workflows.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in KNIME Analytics Platform ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "KNIME Analytics Platform ist eine Open-Source-Software zum f\u00fcr Data Science in Bezug auf das Verst\u00e4ndnis von Daten und das Design von Data Science Workflows.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in KNIME Analytics Platform ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2641 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2641.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2641 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2641"
      },
      {
        "category": "external",
        "summary": "KNIME Security Advisory vom 2023-10-12",
        "url": "https://www.knime.com/security/advisories#CVE-2023-5562"
      }
    ],
    "source_lang": "en-US",
    "title": "KNIME Analytics Platform: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2023-10-12T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:59:50.796+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2641",
      "initial_release_date": "2023-10-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-10-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "KNIME Analytics Platform \u003c 5.2.0",
            "product": {
              "name": "KNIME Analytics Platform \u003c 5.2.0",
              "product_id": "T030489",
              "product_identification_helper": {
                "cpe": "cpe:/a:knime:knime_analytics_platform:5.2.0"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "KNIME"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5562",
      "notes": [
        {
          "category": "description",
          "text": "In KNIME Analytics Platform existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in KNIME Server und KNIME Business Hub nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-10-12T22:00:00.000+00:00",
      "title": "CVE-2023-5562"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-5562 (GCVE-0-2023-5562)

FKIE_CVE-2023-5562

GHSA-4G9C-4JMR-XRQP

GSD-2023-5562

WID-SEC-W-2023-2641

Tags

Sightings

Nomenclature