关键信息 漏洞概述 漏洞类型: DOM-based XSS in Login Panel 日期: 10.12.2021 受影响供应商: KNIME AG 受影响产品与版本 产品: KNIME Server - Enterprise software for putting your data science workflows into production 漏洞版本: 4.13.3, 4.12.4, 4.11.5 修复版本: 4.13.4, 4.12.5, 4.12.6 漏洞详情 CVSS分数: 9.2 High 漏洞描述: KNIME Server web application up to version 4.13.3 login panel contains a DOM-based XSS vulnerability that, once exploited, can run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability; however, authenticated users can be targeted. 参考材料 CVE编号: CVE-2021-44726 发现者: Dawid Czarnecki 参考资料: - https://nvd.nist.gov/vuln/detail/CVE-2021-44726 - https://docs.knime.com/2021-06/server_update_guide/index.html#_bugfixes