{"id":"CVE-2022-39295","summary":"Improper Neutralization of Alternate XSS Syntax in Knowage-Server","details":"Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.","aliases":["GHSA-f2gr-6h9j-rwcw"],"modified":"2026-04-10T04:50:20.422947Z","published":"2022-10-13T00:00:00Z","database_specific":{"cwe_ids":["CWE-79","CWE-87"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39295.json"},"references":[{"type":"WEB","url":"https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39295.json"},{"type":"ADVISORY","url":"https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39295"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/knowagelabs/knowage-server","events":[{"introduced":"0"},{"fixed":"78dfd58032699b2f11264654d5f9ce8f9701ed66"}],"database_specific":{"versions":[{"introduced":"6.0"},{"fixed":"7.4.22"}]}},{"type":"GIT","repo":"https://github.com/knowagelabs/knowage-server","events":[{"introduced":"96bdab85f1d4b32ecbac0d277f494d5e3c16b907"},{"fixed":"9ef26550ac874f26cf19ea35e3c373742e7de38f"}],"database_specific":{"versions":[{"introduced":"8.0"},{"fixed":"8.0.9"}]}}],"versions":["v7.0.0-RC","v7.2.0","v7.2.0-2020-04-06","v7.4.0","v7.4.1","v7.4.10","v7.4.11","v7.4.12","v7.4.13","v7.4.14","v7.4.15","v7.4.16","v7.4.17","v7.4.18","v7.4.19","v7.4.2","v7.4.20","v7.4.21","v7.4.3","v7.4.4","v7.4.5","v7.4.6","v7.4.7","v7.4.8","v7.4.9","v8.0.0","v8.0.1","v8.0.2","v8.0.3","v8.0.4","v8.0.5","v8.0.6","v8.0.7","v8.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39295.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}