MidnightBSD

Advisories for jedox

CVE-2022-47874

Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class 'com.jedox.etl.mngr.Connections' and method 'getGlobalConnection'.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
jedox cloud -
CVE-2022-47875

A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
jedox cloud -
CVE-2022-47876

The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
CVE-2022-47877

A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module 'log'.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
CVE-2022-47878

Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
CVE-2022-47879

A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
jedox jedox_cloud -
CVE-2022-47880

An Information disclosure vulnerability in /be/rpc.php in Jedox GmbH Jedox 2020.2.5 allow remote, authenticated users with permissions to modify database connections to disclose a connections' cleartext password via the 'test connection' function.

Products Affected

Vendor Product Version
jedox jedox 2020.2.5
jedox jedox_cloud -