CVE-2023-5562— Knime Analytics Platform 跨站脚本漏洞

Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub

An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks. KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Knime Analytics Platform 跨站脚本漏洞

Knime Analytics Platform是瑞士Knime公司的一个免费的开源数据分析、报告和集成平台。 KNIME Analytics Platform 5.2.0 之前版本存在跨站脚本漏洞，该漏洞源于不安全的默认设置允许 KNIME Server 和 KNIME Business Hub 中的跨站脚本攻击。

N/A

N/A