CVE-2020-9410

EPSS 1.05%
Published 20.05.2020 13:15:10
Last modified 21.11.2024 05:40:35
Source security@tibco.com
Teams watchlist Login
Open Login

The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Tibco ≫ Jasperreports Library SwPlatform- Version <= 7.1.1

Tibco ≫ Jasperreports Library SwPlatformactivematrix_bpm Version <= 7.1.1

Tibco ≫ Jasperreports Library Version7.2.0

Tibco ≫ Jasperreports Library Version7.2.1

Tibco ≫ Jasperreports Library Version7.3.0

Tibco ≫ Jasperreports Library Version7.5.0

Tibco ≫ Jasperreports Server SwPlatform- Version <= 7.1.1

Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 7.1.1

Tibco ≫ Jasperreports Server SwPlatformaws_marketplace Version <= 7.5.0

Tibco ≫ Jasperreports Server Version7.2.0

Tibco ≫ Jasperreports Server Version7.5.0

Oracle ≫ Retail Order Broker Version15.0

Oracle ≫ Retail Order Broker Version16.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.05%	0.768

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security@tibco.com	7.3	2.1	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch

Third Party Advisory

http://www.tibco.com/services/support/advisories

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-9410

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-9410

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-9410

EUVD