CVE-2025-24909

Overview <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Description <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface. <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Impact <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim&amp;#39;s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.