CVE-2022-39295 MEDIUM

CVE-2022-39295: Improper Neutralization of Alternate XSS Syntax in Knowage-Server

Vendor Knowagelabs
Product Knowage-Server
Weakness CWE-87
Published October 13, 2022
Last update April 22, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.

Key dates

02Disclosure timeline

October 13, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE