The exploit demonstrates an XML External Entity (XXE) injection vulnerability in Pentaho BI User Console, allowing arbitrary file disclosure via a crafted POST request to the '/pentaho/content/dashboards' endpoint.
Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:Pentaho BI User Console < 4.5.0
Auth required
Prerequisites:Valid session cookie (JSESSIONID) · Access to the '/pentaho/content/dashboards' endpoint