Security
Headlines
HeadlinesLatestCVEs

Headline

Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.

Packet Storm
Open in Source
#sql#web#vulnerability#red_hat#web

Related news

Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution
Packet Storm