The Business Analytics application is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This behavior also affects the plugin functionality. Because of this vulnerability attackers can let users perform actions on their behalf. Attackers for example can potentially upload files, delete files, create queries, modify queries or delete them.
More information about CSRF attacks can be found at the below link:
In research of additional JIRAs and ESR cases specific to CSRF vulnerability, there was an understanding that a CSRF filter in Tomcat version 7 and above (and possibly the most updated versions of Tomcat 6) could get around this issue. However, simply enabling that filter in Tomcat does not provide full protection for the Pentaho platform, and additionally, would not be able to address the security concern for customers who work on supported JBoss EAP application servers which do not have a similar filter readily available at this time.
Customers require that a feature be built in to the software to directly protect the Pentaho application from this type of vulnerability that is a viable solution for all supported platforms.
A suggestion from the same source linked above as to potential preventive measures that could be researched for the purposes of creating a solution for Pentaho can be found at this link: