CVE-2023-5562

An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks. KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.
Configurations

Configuration 1 (hide)

cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:42

Type Values Removed Values Added
References () https://www.knime.com/security/advisories#CVE-2023-5562 - Vendor Advisory () https://www.knime.com/security/advisories#CVE-2023-5562 - Vendor Advisory

18 Oct 2023, 13:00

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CWE CWE-79
CPE cpe:2.3:a:knime:knime_analytics_platform:*:*:*:*:*:*:*:*
First Time Knime
Knime knime Analytics Platform
References (MISC) https://www.knime.com/security/advisories#CVE-2023-5562 - (MISC) https://www.knime.com/security/advisories#CVE-2023-5562 - Vendor Advisory

12 Oct 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-12 20:15

Updated : 2024-11-21 08:42


NVD link : CVE-2023-5562

Mitre link : CVE-2023-5562

CVE.ORG link : CVE-2023-5562


JSON object : View

Products Affected

knime

  • knime_analytics_platform
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')