CVE-2018-5431

EPSS 0.25%
Veröffentlicht 17.04.2018 18:29:00
Zuletzt bearbeitet 21.11.2024 04:08:47
Quelle security@tibco.com
CVE-Watchlists
Login
Unerledigt
Login

TIBCO JasperReports Server Cross Site Scripting Vulnerability

The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

NVD 10 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tibco ≫ Jasperreports Server Version <= 6.2.4

Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 6.4.2

Tibco ≫ Jasperreports Server SwEditioncommunity Version <= 6.4.2

Tibco ≫ Jasperreports Server Version6.3.0

Tibco ≫ Jasperreports Server Version6.3.2

Tibco ≫ Jasperreports Server Version6.3.3

Tibco ≫ Jasperreports Server Version6.4.0

Tibco ≫ Jasperreports Server Version6.4.2

Tibco ≫ Jaspersoft SwPlatformaws_with_multi-tenancy Version <= 6.4.2

Tibco ≫ Jaspersoft Reporting And Analytics SwPlatformaws Version <= 6.4.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.481

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@tibco.com	6.3	2.1	4.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-5431

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5431

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5431

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2018-5431