CVE-2018-5431

EPSS 0.26%
Published 17.04.2018 18:29:00
Last modified 21.11.2024 04:08:47
Source security@tibco.com
Teams watchlist Login
Open Login

The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Tibco ≫ Jasperreports Server Version <= 6.2.4

Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 6.4.2

Tibco ≫ Jasperreports Server SwEditioncommunity Version <= 6.4.2

Tibco ≫ Jasperreports Server Version6.3.0

Tibco ≫ Jasperreports Server Version6.3.2

Tibco ≫ Jasperreports Server Version6.3.3

Tibco ≫ Jasperreports Server Version6.4.0

Tibco ≫ Jasperreports Server Version6.4.2

Tibco ≫ Jaspersoft SwPlatformaws_with_multi-tenancy Version <= 6.4.2

Tibco ≫ Jaspersoft Reporting And Analytics SwPlatformaws Version <= 6.4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.26%	0.468

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@tibco.com	6.3	2.1	4.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-5431

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5431

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5431

EUVD