In addition to the above-mentioned information, we have also compiled a list of issues that were fixed in the latest version of Knowage-Server. The list is given below. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, there was an issue with Knowage-Server where it did not allow setting the `X-Frame-Options` header to `SAMEORIGIN` when using the X-Sendfile or X-Redirect HTTP request options. This could have led to Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, it was possible to set the `X-Content-Type-Options` header to `nosniff` when using the X-Sendfile or X-Redirect HTTP request options. This could have allowed Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, it was possible to set the `X-XSS-Protection` header to `1` when using the X-Sendfile or X-Redirect HTTP request options. This could have allowed Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.

Knowage-Cloud

Knowage-Server is a web service running on a server that has been configured to serve Knowage-Cloud. The web app runs on Node.js and is used by the User in order to search for, save and retrieve some of the latest data from the Knowage-Cloud. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, when using `X-Content-Type-Options` or `X-XSS-Protection`, it was possible to set these headers with any value other than `nosniff`. This could have allowed Cross-site scripting attacks when using certain web based management interfaces.

Timeline

Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/17/2022 13:30:00 UTC

References