Search criteria
177 vulnerabilities
CVE-2025-11548 (GCVE-0-2025-11548)
Vulnerability from cvelistv5 – Published: 2025-10-14 16:45 – Updated: 2025-10-14 19:15
VLAI?
Summary
A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T19:15:30.274591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:15:39.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WebFOCUS",
"vendor": "ibi",
"versions": [
{
"lessThanOrEqual": "3",
"status": "affected",
"version": "9.1",
"versionType": "Patch"
},
{
"lessThanOrEqual": "2",
"status": "affected",
"version": "9.2",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-10-14T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich may lead to unauthenticated Remote Code Execution\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T16:45:08.673Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/ibi-security-advisory-october-14-2025-ibi-webfocus-cve-2025-11548-r222/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ibi WebFOCUS - Unauthenticated RCE Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-11548",
"datePublished": "2025-10-14T16:45:08.673Z",
"dateReserved": "2025-10-09T09:34:03.221Z",
"dateUpdated": "2025-10-14T19:15:39.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2261 (GCVE-0-2025-2261)
Vulnerability from cvelistv5 – Published: 2025-05-21 18:29 – Updated: 2025-05-21 19:47
VLAI?
Summary
Stored XSS in TIBCO ActiveMatrix Administrator allows malicious data to appear to be part of the website and run within user's browser under the privileges of the web application.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc | TIBCO BPM Enterprise |
Affected:
4.3 , < 4
(Patch)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T19:46:54.302333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:47:10.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"TIBCO ActiveMatrix Administrator"
],
"product": "TIBCO BPM Enterprise",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "4",
"status": "affected",
"version": "4.3",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-05-13T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in TIBCO ActiveMatrix Administrator allows malicious data to appear to be part of the website and run within user\u0027s browser under the privileges of the web application.\u0026nbsp;"
}
],
"value": "Stored XSS in TIBCO ActiveMatrix Administrator allows malicious data to appear to be part of the website and run within user\u0027s browser under the privileges of the web application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:29:53.820Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-may-13-2025-tibco-bpm-enterprise-cve-2025-2261-r220/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO BPM Enterprise XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-2261",
"datePublished": "2025-05-21T18:29:53.820Z",
"dateReserved": "2025-03-12T17:33:24.449Z",
"dateUpdated": "2025-05-21T19:47:10.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3751 (GCVE-0-2025-3751)
Vulnerability from cvelistv5 – Published: 2025-05-21 18:12 – Updated: 2025-05-21 19:47
VLAI?
Summary
The component listed above contains a vulnerability that can be exploited by an attacker to perform a SQL Injection attack. This could lead to unauthorised access to the database and exposure of sensitive information
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc | TIBCO ActiveMatrix BusinessWorks |
Affected:
5.16.1 , < HF-01
(Patch)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T19:47:30.311785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:47:52.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"TIBCO Administrator"
],
"product": "TIBCO ActiveMatrix BusinessWorks",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "HF-01",
"status": "affected",
"version": "5.16.1",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-05-13T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe component listed above contains a vulnerability that can be exploited by an attacker to perform a SQL Injection attack. This could lead to unauthorised access to the database and exposure of sensitive information\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The component listed above contains a vulnerability that can be exploited by an attacker to perform a SQL Injection attack. This could lead to unauthorised access to the database and exposure of sensitive information"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:12:59.133Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-may-13-2025-tibco-activematrix-businessworks-cve-2025-3751-r221/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO ActiveMatrix BusinessWorks SQL Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-3751",
"datePublished": "2025-05-21T18:12:59.133Z",
"dateReserved": "2025-04-16T21:17:10.801Z",
"dateUpdated": "2025-05-21T19:47:52.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3115 (GCVE-0-2025-3115)
Vulnerability from cvelistv5 – Published: 2025-04-09 18:12 – Updated: 2025-11-11 11:47
VLAI?
Summary
Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions.
Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Spotfire | Spotfire Statistics Services |
Affected:
14 , < 14.0.7
(Patch)
Affected: 14.1.0 (Patch) Affected: 14.2.0 (Patch) Affected: 14.3.0 (Patch) Affected: 14.4.0 (Patch) Affected: 14.4.1 (Patch) |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T18:28:35.698097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T18:29:39.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spotfire Statistics Services",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.0.7",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Analyst",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.0.6",
"status": "affected",
"version": "14.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Deployment Kit used in Spotfire Server",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.0.7",
"status": "affected",
"version": "14.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Desktop",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.4.2",
"status": "affected",
"version": "14.4",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire for AWS Marketplace",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.4.2",
"status": "unknown",
"version": "14.4",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Enterprise Runtime for R - Server Edition",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "1.17.7",
"status": "affected",
"version": "1.17",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.18.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.19.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.20.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Service for Python",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "1.17.7",
"status": "affected",
"version": "1.17",
"versionType": "Patch"
},
{
"lessThanOrEqual": "1.21.1",
"status": "affected",
"version": "1.18.0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Service for R",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "1.17.7",
"status": "affected",
"version": "1.17",
"versionType": "Patch"
},
{
"lessThanOrEqual": "1.21.1",
"status": "affected",
"version": "1.18.0",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-04-08T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cstrong\u003eInjection Vulnerabilities: \u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAttackers can inject malicious code, potentially gaining control over the system executing these functions.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdditionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution\u003c/span\u003e\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions.\nAdditionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-11T11:47:58.064Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spotfire Data Function Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-3115",
"datePublished": "2025-04-09T18:12:28.348Z",
"dateReserved": "2025-04-02T10:56:03.148Z",
"dateUpdated": "2025-11-11T11:47:58.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3114 (GCVE-0-2025-3114)
Vulnerability from cvelistv5 – Published: 2025-04-09 17:29 – Updated: 2025-04-15 20:29
VLAI?
Summary
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.
Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Spotfire | Spotfire Enterprise Runtime for R |
Affected:
6 , ≤ 1.4
(Patch)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T18:03:07.615805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:29:11.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spotfire Enterprise Runtime for R",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "1.4",
"status": "affected",
"version": "6",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Statistics Services",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.6",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0"
},
{
"status": "affected",
"version": "14.2.0"
},
{
"status": "affected",
"version": "14.3.0"
},
{
"status": "affected",
"version": "14.4.0"
},
{
"status": "affected",
"version": "14.4.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Analyst",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.5",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Deployment Kit used in Spotfire Server",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.6",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Desktop",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "affected",
"version": "14",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire for AWS Marketplace",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "unknown",
"version": "14",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Enterprise Runtime for R - Server Edition",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "17.6",
"status": "affected",
"version": "1",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.18.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.19.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.20.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.1",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-04-08T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eCode Execution via Malicious Files:\u003c/strong\u003e\u0026nbsp;Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSandbox Bypass Vulnerability:\u003c/strong\u003e\u0026nbsp;A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.\u003c/p\u003e"
}
],
"value": "Code Execution via Malicious Files:\u00a0Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\n\nSandbox Bypass Vulnerability:\u00a0A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T17:29:48.612Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spotfire Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-3114",
"datePublished": "2025-04-09T17:29:48.612Z",
"dateReserved": "2025-04-02T10:55:41.023Z",
"dateUpdated": "2025-04-15T20:29:11.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10218 (GCVE-0-2024-10218)
Vulnerability from cvelistv5 – Published: 2024-11-12 19:14 – Updated: 2024-11-22 20:41
VLAI?
Summary
XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence
Severity ?
CWE
- The components listed above contain a vulnerability that allows the author of a malicious .mar file to perform an XEE attack
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc | TIBCO Hawk |
Affected:
6.2 , < 5
(Patch)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T20:34:41.505582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T20:41:19.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring Archive Utility (MAR Utility)",
"monitoringconsolecommon.jar"
],
"product": "TIBCO Hawk",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "5",
"status": "affected",
"version": "6.2",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring Archive Utility (MAR Utility)",
"monitoringconsolecommon.jar"
],
"product": "TIBCO Operational Intelligence",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "7.3",
"versionType": "Patch"
}
]
}
],
"datePublic": "2024-11-12T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XSS Attack in \u003cspan style=\"background-color: transparent;\"\u003emar.jar, Monitoring Archive Utility (MAR Utility),\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003emonitoringconsolecommon.jar\u003c/span\u003e\u0026nbsp;in \u003cspan style=\"background-color: transparent;\"\u003eTIBCO Software Inc\u003c/span\u003e\u0026nbsp;TIBCO Hawk and\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eTIBCO Operational Intelligence\u003c/span\u003e\u0026nbsp;\u003cbr\u003e"
}
],
"value": "XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility),\u00a0monitoringconsolecommon.jar\u00a0in TIBCO Software Inc\u00a0TIBCO Hawk and\u00a0TIBCO Operational Intelligence"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The impact of this vulnerability includes the theoretical possibility that an attacker could manipulate the system with the same privileges as the logged in user"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:N/SA:H/AU:N/R:U/V:C/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The components listed above contain a vulnerability that allows the author of a malicious .mar file to perform an XEE attack",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T19:14:00.748Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO Hawk Stored-XEE Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-10218",
"datePublished": "2024-11-12T19:14:00.748Z",
"dateReserved": "2024-10-21T18:00:07.536Z",
"dateUpdated": "2024-11-22T20:41:19.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10217 (GCVE-0-2024-10217)
Vulnerability from cvelistv5 – Published: 2024-11-12 19:12 – Updated: 2024-11-21 16:15
VLAI?
Summary
XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence
Severity ?
CWE
- The components listed above contain a vulnerability that allows the author of a malicious .mar file to perform an XSS attack
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc | TIBCO Hawk |
Affected:
6.2 , < 5
(Patch)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T20:38:33.171368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:15:44.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring Archive Utility (MAR Utility)",
"monitoringconsolecommon.jar"
],
"product": "TIBCO Hawk",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "5",
"status": "affected",
"version": "6.2",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring Archive Utility (MAR Utility)",
"monitoringconsolecommon.jar"
],
"product": "TIBCO Operational Intelligence",
"vendor": "TIBCO Software Inc",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "7.3",
"versionType": "Patch"
}
]
}
],
"datePublic": "2024-11-12T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XSS Attack in \u003cspan style=\"background-color: transparent;\"\u003emar.jar, Monitoring Archive Utility (MAR Utility),\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003emonitoringconsolecommon.jar\u003c/span\u003e\u0026nbsp;in \u003cspan style=\"background-color: transparent;\"\u003eTIBCO Software Inc\u003c/span\u003e\u0026nbsp;TIBCO Hawk and\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eTIBCO Operational Intelligence\u003c/span\u003e\u0026nbsp;\u003cbr\u003e"
}
],
"value": "XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility),\u00a0monitoringconsolecommon.jar\u00a0in TIBCO Software Inc\u00a0TIBCO Hawk and\u00a0TIBCO Operational Intelligence"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The impact of this vulnerability includes the theoretical possibility that an attacker could manipulate the system with the same privileges as the logged in user"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:N/SA:H/AU:N/R:U/V:C/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The components listed above contain a vulnerability that allows the author of a malicious .mar file to perform an XSS attack",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T19:12:54.360Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO Hawk Stored-XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-10217",
"datePublished": "2024-11-12T19:12:54.360Z",
"dateReserved": "2024-10-21T18:00:05.765Z",
"dateUpdated": "2024-11-21T16:15:44.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3325 (GCVE-0-2024-3325)
Vulnerability from cvelistv5 – Published: 2024-07-10 17:02 – Updated: 2024-08-01 20:05
VLAI?
Summary
Vulnerability in Jaspersoft JasperReport Servers.This issue affects JasperReport Servers: from 8.0.4 through 9.0.0.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jaspersoft | JasperReport Servers |
Affected:
8.0.4 , ≤ 9.0.0
(Patch)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jasperreports_server",
"vendor": "tibco",
"versions": [
{
"lessThanOrEqual": "9.0.0",
"status": "affected",
"version": "8.0.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T19:38:52.601530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T17:45:36.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-july-9-2024-jasperreports-server-cve-2024-3325-r4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JasperReport Servers",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "9.0.0",
"status": "affected",
"version": "8.0.4",
"versionType": "Patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Jaspersoft JasperReport Servers.\u003cp\u003eThis issue affects JasperReport Servers: from 8.0.4 through 9.0.0.\u003c/p\u003e"
}
],
"value": "Vulnerability in Jaspersoft JasperReport Servers.This issue affects JasperReport Servers: from 8.0.4 through 9.0.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T17:02:14.138Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-july-9-2024-jasperreports-server-cve-2024-3325-r4/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JasperReports Server Driver upload vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-3325",
"datePublished": "2024-07-10T17:02:14.138Z",
"dateReserved": "2024-04-04T17:01:26.198Z",
"dateUpdated": "2024-08-01T20:05:08.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3331 (GCVE-0-2024-3331)
Vulnerability from cvelistv5 – Published: 2024-06-27 18:50 – Updated: 2024-10-29 19:56
VLAI?
Summary
Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability depends on the privileges of the user running the affected software..This issue affects Spotfire Enterprise Runtime for R - Server Edition: from 1.12.7 through 1.20.0; Spotfire Statistics Services: from 12.0.7 through 12.3.1, from 14.0.0 through 14.3.0; Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0.0 through 14.3.0; Spotfire Desktop: from 14.0 through 14.3.0; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0.0 through 14.3.0.
Severity ?
6.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Spotfire | Spotfire Enterprise Runtime for R - Server Edition |
Affected:
1.12.7 , ≤ 1.20.0
(patch)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T19:50:43.928829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T19:56:28.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3331-r3436/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spotfire Enterprise Runtime for R - Server Edition",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "1.20.0",
"status": "affected",
"version": "1.12.7",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Statistics Services",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "12.3.1",
"status": "affected",
"version": "12.0.7",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "14.0.0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Analyst",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "12.5.0",
"status": "affected",
"version": "12.0.9",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "14.0.0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Desktop",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "14.0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Server",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "12.5.0",
"status": "affected",
"version": "12.0.10",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "14.0.0",
"versionType": "patch"
}
]
}
],
"datePublic": "2024-06-26T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability depends on the privileges of the user running the affected software..\u003cp\u003eThis issue affects Spotfire Enterprise Runtime for R - Server Edition: from 1.12.7 through 1.20.0; Spotfire Statistics Services: from 12.0.7 through 12.3.1, from 14.0.0 through 14.3.0; Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0.0 through 14.3.0; Spotfire Desktop: from 14.0 through 14.3.0; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0.0 through 14.3.0.\u003c/p\u003e"
}
],
"value": "Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability depends on the privileges of the user running the affected software..This issue affects Spotfire Enterprise Runtime for R - Server Edition: from 1.12.7 through 1.20.0; Spotfire Statistics Services: from 12.0.7 through 12.3.1, from 14.0.0 through 14.3.0; Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0.0 through 14.3.0; Spotfire Desktop: from 14.0 through 14.3.0; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0.0 through 14.3.0."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The impact of this vulnerability depends on the privileges of the user running the affected software."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T18:50:13.758Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3331-r3436/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cdiv\u003e\u003cb\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Enterprise Runtime for R (aka TERR) 4.5.0, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.1.2: upgrade to version 6.1.3 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Enterprise Runtime for R - Server Edition 1.12.7 and earlier: upgrade to version 1.12.8 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Enterprise Runtime for R - Server Edition 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3: upgrade to version 1.17.4 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0: upgrade to version 1.21.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Statistics Services 12.0.7 and earlier: upgrade to version 12.0.8 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Statistics Services 12.1.0, 12.2.0, 12.3.0, 12.3.1, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Statistics Services 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Desktop 14.3.0 and earlier: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Server 12.0.10 and earlier: upgrade to version 12.0.11 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire Server 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSpotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/b\u003e\u003c/div\u003e\u003c/b\u003e"
}
],
"value": "* Spotfire Enterprise Runtime for R (aka TERR) 4.5.0, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.1.2: upgrade to version 6.1.3 or higher\n\n\n\n\n\n * Spotfire Enterprise Runtime for R - Server Edition 1.12.7 and earlier: upgrade to version 1.12.8 or higher\n\n\n * Spotfire Enterprise Runtime for R - Server Edition 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3: upgrade to version 1.17.4 or higher\n\n\n * Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0: upgrade to version 1.21.0 or higher\n\n\n\n\n * Spotfire Statistics Services 12.0.7 and earlier: upgrade to version 12.0.8 or higher\n\n\n * Spotfire Statistics Services 12.1.0, 12.2.0, 12.3.0, 12.3.1, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\n\n\n * Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\n\n\n\n\n * Spotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher\n\n\n * Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher\n\n\n * Spotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\n\n\n\n\n * Spotfire Desktop 14.3.0 and earlier: upgrade to version 14.4.0 or higher\n\n\n\n\n * Spotfire Server 12.0.10 and earlier: upgrade to version 12.0.11 or higher\n\n\n * Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\n\n\n * Spotfire Server 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0 or higher\n\n\n\n\n * Spotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spotfire: NTLM token leakage",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-3331",
"datePublished": "2024-06-27T18:50:13.758Z",
"dateReserved": "2024-04-04T17:01:59.760Z",
"dateUpdated": "2024-10-29T19:56:28.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3330 (GCVE-0-2024-3330)
Vulnerability from cvelistv5 – Published: 2024-06-27 18:37 – Updated: 2024-08-01 20:05
VLAI?
Summary
Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker., In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process, In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services..This issue affects Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0 through 14.0.2; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0 through 14.0.3, from 14.2.0 through 14.3.0; Spotfire for AWS Marketplace: from 14.0 before 14.3.0.
Severity ?
9.9 (Critical)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Spotfire | Spotfire Analyst |
Affected:
12.0.9 , ≤ 12.5.0
(patch)
Affected: 14.0 , ≤ 14.0.2 (patch) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tibco:spotfire_analyst:12.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:12.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:12.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:12.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:12.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:12.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_analyst:14.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "spotfire_analyst",
"vendor": "tibco",
"versions": [
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
},
{
"status": "affected",
"version": "12.2.0"
},
{
"status": "affected",
"version": "12.3.0"
},
{
"status": "affected",
"version": "12.4.0"
},
{
"status": "affected",
"version": "12.5.0"
},
{
"status": "affected",
"version": "14.0.0"
},
{
"status": "affected",
"version": "14.0.1"
},
{
"status": "affected",
"version": "14.0.2"
},
{
"status": "affected",
"version": "14.1.0"
},
{
"status": "affected",
"version": "14.2.0"
},
{
"status": "affected",
"version": "14.3.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:tibco:spotfire_server:12.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:12.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:12.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:12.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:12.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:12.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:tibco:spotfire_server:14.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "spotfire_server",
"vendor": "tibco",
"versions": [
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
},
{
"status": "affected",
"version": "12.2.0"
},
{
"status": "affected",
"version": "12.3.0"
},
{
"status": "affected",
"version": "12.4.0"
},
{
"status": "affected",
"version": "12.5.0"
},
{
"status": "affected",
"version": "14.0.0"
},
{
"status": "affected",
"version": "14.0.1"
},
{
"status": "affected",
"version": "14.0.2"
},
{
"status": "affected",
"version": "14.0.3"
},
{
"status": "affected",
"version": "14.2.0"
},
{
"status": "affected",
"version": "14.3.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "spotfire_analytics_platform_for_aws",
"vendor": "tibco",
"versions": [
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:tibco:spotfire_analyst:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "spotfire_analyst",
"vendor": "tibco",
"versions": [
{
"lessThanOrEqual": "12.0.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:tibco:spotfire_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "spotfire_server",
"vendor": "tibco",
"versions": [
{
"lessThanOrEqual": "12.0.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T19:33:08.056282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:02:22.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3330-r3435/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spotfire Analyst",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "12.5.0",
"status": "affected",
"version": "12.0.9",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.0.2",
"status": "affected",
"version": "14.0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Server",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "12.5.0",
"status": "affected",
"version": "12.0.10",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.0.3",
"status": "affected",
"version": "14.0",
"versionType": "patch"
},
{
"lessThanOrEqual": "14.3.0",
"status": "affected",
"version": "14.2.0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire for AWS Marketplace",
"vendor": "Spotfire",
"versions": [
{
"lessThan": "14.3.0",
"status": "affected",
"version": "14.0",
"versionType": "patch"
}
]
}
],
"datePublic": "2024-06-26T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker., In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process, In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services..\u003cp\u003eThis issue affects Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0 through 14.0.2; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0 through 14.0.3, from 14.2.0 through 14.3.0; Spotfire for AWS Marketplace: from 14.0 before 14.3.0.\u003c/p\u003e"
}
],
"value": "Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker., In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process, In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services..This issue affects Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0 through 14.0.2; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0 through 14.0.3, from 14.2.0 through 14.3.0; Spotfire for AWS Marketplace: from 14.0 before 14.3.0."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker."
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process"
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T18:37:34.119Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3330-r3435/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Server 12.0.10 and earlier: upgrade to version 12.0.11\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire Server 14.2.0, 14.3.0: upgrade to version 14.4.0\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eSpotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/b\u003e"
}
],
"value": "* Spotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher\n\n\n * Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher\n\n\n * Spotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0\n\n\n * Spotfire Server 12.0.10 and earlier: upgrade to version 12.0.11\n\n\n * Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher\n\n\n * Spotfire Server 14.2.0, 14.3.0: upgrade to version 14.4.0\n\n\n * Spotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spotfire Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-3330",
"datePublished": "2024-06-27T18:37:34.119Z",
"dateReserved": "2024-04-04T17:01:54.246Z",
"dateUpdated": "2024-08-01T20:05:08.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4576 (GCVE-0-2024-4576)
Vulnerability from cvelistv5 – Published: 2024-06-13 06:31 – Updated: 2024-10-27 21:52
VLAI?
Summary
The component listed above contains a vulnerability that allows an attacker to traverse directories and access sensitive files, leading to unauthorized disclosure of system configuration and potentially sensitive information.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-14T18:27:06.313882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-27T21:52:02.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.192Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.tibco.com/advisories/tibco-security-advisory-june-11-2024-tibco-ebx-cve-2024-4576-r215/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EBX",
"vendor": "Tibco",
"versions": [
{
"lessThanOrEqual": "9.25",
"status": "affected",
"version": "5",
"versionType": "patch"
},
{
"lessThanOrEqual": "1.3 HF2",
"status": "affected",
"version": "6",
"versionType": "hotfix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe component listed above contains a vulnerability that allows an attacker to traverse directories and access sensitive files, leading to unauthorized disclosure of system configuration and potentially sensitive information.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The component listed above contains a vulnerability that allows an attacker to traverse directories and access sensitive files, leading to unauthorized disclosure of system configuration and potentially sensitive information."
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T06:31:41.034Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-june-11-2024-tibco-ebx-cve-2024-4576-r215/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO EBX File Inclusion Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-4576",
"datePublished": "2024-06-13T06:31:41.034Z",
"dateReserved": "2024-05-06T22:07:32.628Z",
"dateUpdated": "2024-10-27T21:52:02.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3182 (GCVE-0-2024-3182)
Vulnerability from cvelistv5 – Published: 2024-05-15 18:04 – Updated: 2024-08-01 20:05
VLAI?
Summary
Install-type password disclosure vulnerability in Universal Installer including the Silent Installer in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows user's Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tibco:hawk:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "hawk",
"vendor": "tibco",
"versions": [
{
"lessThan": "6.2.4",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:06:33.188845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:15:06.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:07.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.tibco.com/advisories/tibco-security-advisory-may-14-2024-tibco-hawk-cve-2024-3182-r213/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hawk",
"vendor": "TIBCO",
"versions": [
{
"lessThan": "6.2.4",
"status": "affected",
"version": "6.2.0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(248, 248, 248);\"\u003eInstall-type password disclosure vulnerability in\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eUniversal Installer including the Silent Installer\u003c/span\u003e in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euser\u0027s Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Install-type password disclosure vulnerability in\u00a0Universal Installer including the Silent Installer in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows user\u0027s Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T18:04:49.997Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-may-14-2024-tibco-hawk-cve-2024-3182-r213/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-3182",
"datePublished": "2024-05-15T18:04:49.997Z",
"dateReserved": "2024-04-02T06:27:25.231Z",
"dateUpdated": "2024-08-01T20:05:07.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3323 (GCVE-0-2024-3323)
Vulnerability from cvelistv5 – Published: 2024-04-17 18:53 – Updated: 2024-08-01 20:05
VLAI?
Summary
Cross Site Scripting in
UI Request/Response Validation
in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user's active session cookie via sending malicious link, enticing the user to interact.
Severity ?
8.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO | JasperReports Server |
Affected:
8.0 , < 8.0.4
(Hotfix)
Affected: 8.2 , < 8.2.0 (Hotfix) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jasperreports_server",
"vendor": "tibco",
"versions": [
{
"status": "affected",
"version": "8.0.4"
}
]
},
{
"cpes": [
"cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jasperreports_server",
"vendor": "tibco",
"versions": [
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T21:35:25.685169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:11.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"UI Request/Response Validation"
],
"product": "JasperReports Server",
"vendor": "TIBCO",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0",
"versionType": "Hotfix"
},
{
"lessThan": "8.2.0",
"status": "affected",
"version": "8.2",
"versionType": "Hotfix"
}
]
}
],
"datePublic": "2024-04-09T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross Site Scripting in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUI Request/Response Validation\u003c/span\u003e\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u0026nbsp;via sending malicious link, enticing the user to interact."
}
],
"value": "Cross Site Scripting in \n\nUI Request/Response Validation\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u00a0via sending malicious link, enticing the user to interact."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T18:53:21.348Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-3323",
"datePublished": "2024-04-17T18:53:21.348Z",
"dateReserved": "2024-04-04T17:01:23.280Z",
"dateUpdated": "2024-08-01T20:05:08.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1137 (GCVE-0-2024-1137)
Vulnerability from cvelistv5 – Published: 2024-03-12 17:31 – Updated: 2024-10-31 14:50
VLAI?
Summary
The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.
Severity ?
4.3 (Medium)
CWE
- This impact of this vulnerability includes the theoretical possibility of bypassing table access controls. The attacker cannot actively make queries, but may observe the results of queries by other clients, even though the attacker does not have permission to access that data.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO ActiveSpaces - Enterprise Edition |
Affected:
4.4.0 , ≤ 4.9.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T15:02:45.990494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T14:50:46.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TIBCO ActiveSpaces - Enterprise Edition",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "4.9.0",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\u003c/p\u003e"
}
],
"value": "The Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "This impact of this vulnerability includes the theoretical possibility of bypassing table access controls. The attacker cannot actively make queries, but may observe the results of queries by other clients, even though the attacker does not have permission to access that data.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T17:31:19.481Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\n\n"
}
],
"title": "TIBCO ActiveSpaces Information Leak Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-1137",
"datePublished": "2024-03-12T17:31:19.481Z",
"dateReserved": "2024-01-31T20:34:27.115Z",
"dateUpdated": "2024-10-31T14:50:46.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1138 (GCVE-0-2024-1138)
Vulnerability from cvelistv5 – Published: 2024-03-12 17:30 – Updated: 2025-03-28 18:59
VLAI?
Summary
The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition: versions 6.10.1 and below.
Severity ?
8.8 (High)
CWE
- Successful exploitation of this vulnerability may result in an authenticated but unprivileged user arbitrarily reconfiguring FTL clients attached to the same ftlserver.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO FTL - Enterprise Edition |
Affected:
0 , ≤ 6.10.1
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-ftl-cve-2024-1138-r207/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tibco:ftl:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "ftl",
"vendor": "tibco",
"versions": [
{
"lessThanOrEqual": "6.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T19:05:22.151041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T18:59:24.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TIBCO FTL - Enterprise Edition",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "6.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe FTL Server component of TIBCO Software Inc.\u0027s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Enterprise Edition: versions 6.10.1 and below.\u003c/p\u003e"
}
],
"value": "The FTL Server component of TIBCO Software Inc.\u0027s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Enterprise Edition: versions 6.10.1 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Successful exploitation of this vulnerability may result in an authenticated but unprivileged user arbitrarily reconfiguring FTL clients attached to the same ftlserver.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T17:30:15.100Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-ftl-cve-2024-1138-r207/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO FTL - Enterprise Edition versions 6.10.1 and below: update to version 6.10.2 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO FTL - Enterprise Edition versions 6.10.1 and below: update to version 6.10.2 or later\n\n"
}
],
"title": "TIBCO FTL Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2024-1138",
"datePublished": "2024-03-12T17:30:15.100Z",
"dateReserved": "2024-01-31T20:35:00.843Z",
"dateUpdated": "2025-03-28T18:59:24.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26222 (GCVE-0-2023-26222)
Vulnerability from cvelistv5 – Published: 2023-11-14 19:29 – Updated: 2024-08-30 14:06
VLAI?
Summary
The Web Application component of TIBCO Software Inc.'s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.22 and below, versions 6.0.13 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 5.0.0 and below.
Severity ?
8.7 (High)
CWE
- The impact of this vulnerability includes the theoretical possibility resulting in unauthorized ability to update, insert or delete TIBCO EBX® data.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX |
Affected:
0 , ≤ 5.9.22
(semver)
Affected: 0 , ≤ 6.0.13 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:06:41.016491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:06:54.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TIBCO EBX",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "5.9.22",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TIBCO Product and Service Catalog powered by TIBCO EBX",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Web Application component of TIBCO Software Inc.\u0027s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX: versions 5.9.22 and below, versions 6.0.13 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 5.0.0 and below.\u003c/p\u003e"
}
],
"value": "The Web Application component of TIBCO Software Inc.\u0027s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX: versions 5.9.22 and below, versions 6.0.13 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 5.0.0 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The impact of this vulnerability includes the theoretical possibility resulting in unauthorized ability to update, insert or delete TIBCO EBX\u00ae data.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T19:29:09.766Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO EBX versions 5.9.22 and below: update to version 5.9.23 or later\u003c/p\u003e\u003cp\u003eTIBCO EBX versions 6.0.13 and below: update to version 6.0.14 or later\u003c/p\u003e\u003cp\u003eTIBCO Product and Service Catalog powered by TIBCO EBX versions 5.0.0 and below: update to version 5.1.0 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX versions 5.9.22 and below: update to version 5.9.23 or later\n\nTIBCO EBX versions 6.0.13 and below: update to version 6.0.14 or later\n\nTIBCO Product and Service Catalog powered by TIBCO EBX versions 5.0.0 and below: update to version 5.1.0 or later\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "TIBCO EBX Cross-site Scripting (XXS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26222",
"datePublished": "2023-11-14T19:29:09.766Z",
"dateReserved": "2023-02-20T22:18:23.428Z",
"dateUpdated": "2024-08-30T14:06:54.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26221 (GCVE-0-2023-26221)
Vulnerability from cvelistv5 – Published: 2023-11-08 19:44 – Updated: 2024-09-04 15:46
VLAI?
Summary
The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.
Severity ?
5 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | Spotfire Analyst |
Affected:
12.3.0
Affected: 12.4.0 Affected: 12.5.0 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T15:46:35.719041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:46:47.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Spotfire Analyst",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "12.3.0"
},
{
"status": "affected",
"version": "12.4.0"
},
{
"status": "affected",
"version": "12.5.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Server",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "12.3.0"
},
{
"status": "affected",
"version": "12.4.0"
},
{
"status": "affected",
"version": "12.5.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire for AWS Marketplace",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "12.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Spotfire Connectors component of TIBCO Software Inc.\u0027s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\u003c/p\u003e"
}
],
"value": "The Spotfire Connectors component of TIBCO Software Inc.\u0027s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T19:44:03.634Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\u003c/p\u003e\u003cp\u003eSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\u003c/p\u003e\u003cp\u003eSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "TIBCO Spotfire Insufficiently Protected Credential vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26221",
"datePublished": "2023-11-08T19:44:03.634Z",
"dateReserved": "2023-02-20T22:18:23.428Z",
"dateUpdated": "2024-09-04T15:46:47.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26219 (GCVE-0-2023-26219)
Vulnerability from cvelistv5 – Published: 2023-10-24 21:56 – Updated: 2024-09-11 17:07
VLAI?
Summary
The Hawk Console and Hawk Agent components of TIBCO Software Inc.'s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoretically allows an attacker with access to the Hawk Console’s and Agent’s log to obtain credentials used to access associated EMS servers. Affected releases are TIBCO Software Inc.'s TIBCO Hawk: versions 6.2.2 and below, TIBCO Hawk Distribution for TIBCO Silver Fabric: versions 6.2.2 and below, TIBCO Operational Intelligence Hawk RedTail: versions 7.2.1 and below, and TIBCO Runtime Agent: versions 5.12.2 and below.
Severity ?
7.4 (High)
CWE
- The impact of this vulnerability includes the theoretical possibility that an attacker could access the message stream of the EMS server, or in the worst case, gain administrative access to the server.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO Hawk |
Affected:
0 , ≤ 6.2.2
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:07:16.001862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:07:46.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TIBCO Hawk",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TIBCO Hawk Distribution for TIBCO Silver Fabric",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TIBCO Operational Intelligence Hawk RedTail",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TIBCO Runtime Agent",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "5.12.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Hawk Console and Hawk Agent components of TIBCO Software Inc.\u0027s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoretically allows an attacker with access to the Hawk Console\u2019s and Agent\u2019s log to obtain credentials used to access associated EMS servers. Affected releases are TIBCO Software Inc.\u0027s TIBCO Hawk: versions 6.2.2 and below, TIBCO Hawk Distribution for TIBCO Silver Fabric: versions 6.2.2 and below, TIBCO Operational Intelligence Hawk RedTail: versions 7.2.1 and below, and TIBCO Runtime Agent: versions 5.12.2 and below.\u003c/p\u003e"
}
],
"value": "The Hawk Console and Hawk Agent components of TIBCO Software Inc.\u0027s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoretically allows an attacker with access to the Hawk Console\u2019s and Agent\u2019s log to obtain credentials used to access associated EMS servers. Affected releases are TIBCO Software Inc.\u0027s TIBCO Hawk: versions 6.2.2 and below, TIBCO Hawk Distribution for TIBCO Silver Fabric: versions 6.2.2 and below, TIBCO Operational Intelligence Hawk RedTail: versions 7.2.1 and below, and TIBCO Runtime Agent: versions 5.12.2 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The impact of this vulnerability includes the theoretical possibility that an attacker could access the message stream of the EMS server, or in the worst case, gain administrative access to the server.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T21:56:50.294Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO Hawk versions 6.2.2 and below: update to version 6.2.3 or later\u003c/p\u003e\u003cp\u003eTIBCO Hawk Distribution for TIBCO Silver Fabric versions 6.2.2 and below: update to version 6.2.3 or later\u003c/p\u003e\u003cp\u003eTIBCO Operational Intelligence Hawk RedTail versions 7.2.1 and below: update to version 7.2.2 or later\u003c/p\u003e\u003cp\u003eTIBCO Runtime Agent versions 5.12.2 and below: update to version 5.12.3 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Hawk versions 6.2.2 and below: update to version 6.2.3 or later\n\nTIBCO Hawk Distribution for TIBCO Silver Fabric versions 6.2.2 and below: update to version 6.2.3 or later\n\nTIBCO Operational Intelligence Hawk RedTail versions 7.2.1 and below: update to version 7.2.2 or later\n\nTIBCO Runtime Agent versions 5.12.2 and below: update to version 5.12.3 or later\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TIBCO Operational Intelligence Hawk RedTail Credential Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26219",
"datePublished": "2023-10-24T21:56:50.294Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2024-09-11T17:07:46.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26220 (GCVE-0-2023-26220)
Vulnerability from cvelistv5 – Published: 2023-10-10 22:06 – Updated: 2024-09-18 16:14
VLAI?
Summary
The Spotfire Library component of TIBCO Software Inc.'s Spotfire Analyst and Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 11.4.7 and below, versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4, versions 12.1.0 and 12.1.1 and Spotfire Server: versions 11.4.11 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5, versions 12.1.0 and 12.1.1.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | Spotfire Analyst |
Affected:
0 , ≤ 11.4.7
(semver)
Affected: 11.5.0 Affected: 11.6.0 Affected: 11.7.0 Affected: 11.8.0 Affected: 12.0.0 Affected: 12.0.1 Affected: 12.0.2 Affected: 12.0.3 Affected: 12.0.4 Affected: 12.1.0 Affected: 12.1.1 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T16:14:40.488828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T16:14:49.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Spotfire Analyst",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "11.4.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.5.0"
},
{
"status": "affected",
"version": "11.6.0"
},
{
"status": "affected",
"version": "11.7.0"
},
{
"status": "affected",
"version": "11.8.0"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "12.0.1"
},
{
"status": "affected",
"version": "12.0.2"
},
{
"status": "affected",
"version": "12.0.3"
},
{
"status": "affected",
"version": "12.0.4"
},
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Server",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "11.4.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.5.0"
},
{
"status": "affected",
"version": "11.6.0"
},
{
"status": "affected",
"version": "11.6.1"
},
{
"status": "affected",
"version": "11.6.2"
},
{
"status": "affected",
"version": "11.6.3"
},
{
"status": "affected",
"version": "11.7.0"
},
{
"status": "affected",
"version": "11.8.0"
},
{
"status": "affected",
"version": "11.8.1"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "12.0.1"
},
{
"status": "affected",
"version": "12.0.2"
},
{
"status": "affected",
"version": "12.0.3"
},
{
"status": "affected",
"version": "12.0.4"
},
{
"status": "affected",
"version": "12.0.5"
},
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Spotfire Library component of TIBCO Software Inc.\u0027s Spotfire Analyst and Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s Spotfire Analyst: versions 11.4.7 and below, versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4, versions 12.1.0 and 12.1.1 and Spotfire Server: versions 11.4.11 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5, versions 12.1.0 and 12.1.1.\u003c/p\u003e"
}
],
"value": "The Spotfire Library component of TIBCO Software Inc.\u0027s Spotfire Analyst and Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s Spotfire Analyst: versions 11.4.7 and below, versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4, versions 12.1.0 and 12.1.1 and Spotfire Server: versions 11.4.11 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5, versions 12.1.0 and 12.1.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T22:06:36.002Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eSpotfire Analyst versions 11.4.7 and below: update to version 11.4.8 or later\u003c/p\u003e\u003cp\u003eSpotfire Analyst versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4: update to version 12.0.5 or later\u003c/p\u003e\u003cp\u003eSpotfire Analyst versions 12.1.0 and 12.1.1: update to version 12.5.0 or later\u003c/p\u003e\u003cp\u003eSpotfire Server versions 11.4.11 and below: update to version 11.4.12 or later\u003c/p\u003e\u003cp\u003eSpotfire Server versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5: update to version 12.0.6 or later\u003c/p\u003e\u003cp\u003eSpotfire Server versions 12.1.0 and 12.1.1: update to version 12.5.0 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 11.4.7 and below: update to version 11.4.8 or later\n\nSpotfire Analyst versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4: update to version 12.0.5 or later\n\nSpotfire Analyst versions 12.1.0 and 12.1.1: update to version 12.5.0 or later\n\nSpotfire Server versions 11.4.11 and below: update to version 11.4.12 or later\n\nSpotfire Server versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5: update to version 12.0.6 or later\n\nSpotfire Server versions 12.1.0 and 12.1.1: update to version 12.5.0 or later\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TIBCO Spotfire Stored Cross-site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26220",
"datePublished": "2023-10-10T22:06:36.002Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2024-09-18T16:14:49.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26218 (GCVE-0-2023-26218)
Vulnerability from cvelistv5 – Published: 2023-09-29 17:07 – Updated: 2024-09-23 16:26
VLAI?
Summary
The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.6.0 and below.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO Nimbus |
Affected:
0 , ≤ 10.6.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T16:26:16.962584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T16:26:35.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TIBCO Nimbus",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "10.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Web Client component of TIBCO Software Inc.\u0027s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim\u0027s local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s TIBCO Nimbus: versions 10.6.0 and below.\u003c/p\u003e"
}
],
"value": "The Web Client component of TIBCO Software Inc.\u0027s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim\u0027s local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s TIBCO Nimbus: versions 10.6.0 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T17:07:11.618Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO Nimbus versions 10.6.0 and below: update to version 10.6.1 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Nimbus versions 10.6.0 and below: update to version 10.6.1 or later\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TIBCO Nimbus Reflected Cross-site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26218",
"datePublished": "2023-09-29T17:07:11.618Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2024-09-23T16:26:35.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26217 (GCVE-0-2023-26217)
Vulnerability from cvelistv5 – Published: 2023-07-19 20:36 – Updated: 2024-10-24 17:36
VLAI?
Summary
The Data Exchange Add-on component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged user with import permissions and network access to the EBX server to execute arbitrary SQL statements on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.17 and below, versions 5.6.2 and below, version 6.1.0.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX Add-ons |
Affected:
0 , ≤ 4.5.17
(semver)
Affected: 0 , ≤ 5.6.2 (semver) Affected: 6.1.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T17:35:50.765225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T17:36:09.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TIBCO EBX Add-ons",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "4.5.17",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "6.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Data Exchange Add-on component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged user with import permissions and network access to the EBX server to execute arbitrary SQL statements on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.17 and below, versions 5.6.2 and below, version 6.1.0.\u003c/p\u003e"
}
],
"value": "The Data Exchange Add-on component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged user with import permissions and network access to the EBX server to execute arbitrary SQL statements on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.17 and below, versions 5.6.2 and below, version 6.1.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-19T20:36:45.528Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO EBX Add-ons versions 4.5.17 and below: update to version 4.5.18 or later\u003c/p\u003e\u003cp\u003eTIBCO EBX Add-ons versions 5.6.2 and below: update to version 5.6.3 or later\u003c/p\u003e\u003cp\u003eTIBCO EBX Add-ons version 6.1.0: update to version 6.1.1 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 4.5.17 and below: update to version 4.5.18 or later\n\nTIBCO EBX Add-ons versions 5.6.2 and below: update to version 5.6.3 or later\n\nTIBCO EBX Add-ons version 6.1.0: update to version 6.1.1 or later\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "TIBCO EBX Add-ons SQL Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26217",
"datePublished": "2023-07-19T20:36:45.528Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2024-10-24T17:36:09.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26215 (GCVE-0-2023-26215)
Vulnerability from cvelistv5 – Published: 2023-05-25 18:41 – Updated: 2025-01-16 18:38
VLAI?
Summary
The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.16 and below.
Severity ?
7.7 (High)
CWE
- Any application user can potentially read files that would normally only be accessible by server administrators.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX Add-ons |
Affected:
0 , ≤ 4.5.16
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:37:11.120890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:38:07.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TIBCO EBX Add-ons",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "4.5.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.16 and below.\u003c/p\u003e"
}
],
"value": "The server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.16 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Any application user can potentially read files that would normally only be accessible by server administrators.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-25T18:41:43.701Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO EBX Add-ons versions 4.5.16 and below: update to version 4.5.17 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 4.5.16 and below: update to version 4.5.17 or later\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO EBX\u00ae Add-ons Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26215",
"datePublished": "2023-05-25T18:41:43.701Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2025-01-16T18:38:07.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26216 (GCVE-0-2023-26216)
Vulnerability from cvelistv5 – Published: 2023-05-25 18:38 – Updated: 2025-01-16 19:13
VLAI?
Summary
The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an exploitable vulnerability that allows an attacker to upload files to a directory accessible by the web server. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.16 and below.
Severity ?
9.1 (Critical)
CWE
- An application administrator without access to the underlying server could upload files that may be evaluated by the web server allowing them to perform actions with the privileges of the web server.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX Add-ons |
Affected:
0 , ≤ 4.5.16
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T19:13:47.413245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T19:13:55.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TIBCO EBX Add-ons",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "4.5.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains an exploitable vulnerability that allows an attacker to upload files to a directory accessible by the web server. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.16 and below.\u003c/p\u003e"
}
],
"value": "The server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains an exploitable vulnerability that allows an attacker to upload files to a directory accessible by the web server. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.16 and below.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "An application administrator without access to the underlying server could upload files that may be evaluated by the web server allowing them to perform actions with the privileges of the web server.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-25T18:38:27.076Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO EBX Add-ons versions 4.5.16 and below: update to version 4.5.17 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 4.5.16 and below: update to version 4.5.17 or later\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TIBCO EBX Add-ons Arbitrary File Write",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26216",
"datePublished": "2023-05-25T18:38:21.403Z",
"dateReserved": "2023-02-20T22:18:23.427Z",
"dateUpdated": "2025-01-16T19:13:55.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29268 (GCVE-0-2023-29268)
Vulnerability from cvelistv5 – Published: 2023-04-26 17:24 – Updated: 2025-01-30 21:39
VLAI?
Summary
The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0.
Severity ?
9.8 (Critical)
CWE
- Uploaded or modified files may be executed within the scope of the web server process allowing access to the system.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO Spotfire Statistics Services |
Affected:
0 , ≤ 11.4.10
(semver)
Affected: 11.5.0 Affected: 11.6.0 Affected: 11.6.1 Affected: 11.6.2 Affected: 11.7.0 Affected: 11.8.0 Affected: 11.8.1 Affected: 12.0.0 Affected: 12.0.1 Affected: 12.0.2 Affected: 12.1.0 Affected: 12.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T21:39:50.970602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T21:39:54.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "TIBCO Spotfire Statistics Services",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "11.4.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.5.0"
},
{
"status": "affected",
"version": "11.6.0"
},
{
"status": "affected",
"version": "11.6.1"
},
{
"status": "affected",
"version": "11.6.2"
},
{
"status": "affected",
"version": "11.7.0"
},
{
"status": "affected",
"version": "11.8.0"
},
{
"status": "affected",
"version": "11.8.1"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "12.0.1"
},
{
"status": "affected",
"version": "12.0.2"
},
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Splus Server component of TIBCO Software Inc.\u0027s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0.\u003c/p\u003e"
}
],
"value": "The Splus Server component of TIBCO Software Inc.\u0027s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Uploaded or modified files may be executed within the scope of the web server process allowing access to the system.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T17:24:18.689Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO Spotfire Statistics Services versions 11.4.10 and below: update to version 11.4.11 or later\u003c/p\u003e\u003cp\u003eTIBCO Spotfire Statistics Services versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2: update to version 12.0.3 or later\u003c/p\u003e\u003cp\u003eTIBCO Spotfire Statistics Services versions 12.1.0 and 12.2.0: update to version 12.3.0 or later\u003c/p\u003e"
}
],
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Spotfire Statistics Services versions 11.4.10 and below: update to version 11.4.11 or later\n\nTIBCO Spotfire Statistics Services versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2: update to version 12.0.3 or later\n\nTIBCO Spotfire Statistics Services versions 12.1.0 and 12.2.0: update to version 12.3.0 or later\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "TIBCO Spotfire Statistics Services Unrestricted File Upload Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-29268",
"datePublished": "2023-04-26T17:24:18.689Z",
"dateReserved": "2023-04-04T19:06:51.372Z",
"dateUpdated": "2025-01-30T21:39:54.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41566 (GCVE-0-2022-41566)
Vulnerability from cvelistv5 – Published: 2023-02-22 00:00 – Updated: 2024-08-03 12:49
VLAI?
Summary
The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute stored XSS on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 5.6.0 and below.
Severity ?
8.7 (High)
CWE
- The impact of this vulnerability includes the theoretical possibility of unauthorized access to TIBCO EBX® Add-ons data. This includes the ability to update, insert, or delete data.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX Add-ons |
Affected:
unspecified , ≤ 5.6.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:41.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TIBCO EBX Add-ons",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "5.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute stored XSS on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 5.6.0 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The impact of this vulnerability includes the theoretical possibility of unauthorized access to TIBCO EBX\u00ae Add-ons data. This includes the ability to update, insert, or delete data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 5.6.0 and below: update to version 5.6.1 or later"
}
],
"source": {
"discovery": "Discovery statement"
},
"title": "TIBCO EBX Add-ons Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2022-41566",
"datePublished": "2023-02-22T00:00:00",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-08-03T12:49:41.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26214 (GCVE-0-2023-26214)
Vulnerability from cvelistv5 – Published: 2023-02-22 00:00 – Updated: 2025-03-12 16:02
VLAI?
Summary
The BusinessConnect UI component of TIBCO Software Inc.'s TIBCO BusinessConnect contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect: versions 7.3.0 and below.
Severity ?
7.3 (High)
CWE
- In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO BusinessConnect |
Affected:
unspecified , ≤ 7.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:23.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T16:01:49.962180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T16:02:30.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TIBCO BusinessConnect",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "7.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The BusinessConnect UI component of TIBCO Software Inc.\u0027s TIBCO BusinessConnect contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim\u0027s local system. Affected releases are TIBCO Software Inc.\u0027s TIBCO BusinessConnect: versions 7.3.0 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect versions 7.3.0 and below: update to version 7.3.1 or later"
}
],
"source": {
"discovery": ""
},
"title": "TIBCO BusinessConnect Reflected XSS Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2023-26214",
"datePublished": "2023-02-22T00:00:00.000Z",
"dateReserved": "2023-02-20T00:00:00.000Z",
"dateUpdated": "2025-03-12T16:02:30.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41565 (GCVE-0-2022-41565)
Vulnerability from cvelistv5 – Published: 2023-02-22 00:00 – Updated: 2024-08-03 12:49
VLAI?
Summary
The Web Application component of TIBCO Software Inc.'s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.21 and below, versions 6.0.11 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.2.0 and below.
Severity ?
8.7 (High)
CWE
- The impact of this vulnerability includes the theoretical possibility resulting in unauthorized ability to update, insert or delete TIBCO EBX data.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO EBX |
Affected:
unspecified , ≤ 5.9.21
(custom)
Affected: unspecified , ≤ 6.0.11 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TIBCO EBX",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "5.9.21",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO Product and Service Catalog powered by TIBCO EBX",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Web Application component of TIBCO Software Inc.\u0027s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX: versions 5.9.21 and below, versions 6.0.11 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.2.0 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The impact of this vulnerability includes the theoretical possibility resulting in unauthorized ability to update, insert or delete TIBCO EBX data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX versions 5.9.21 and below: update to version 5.9.22 or later\nTIBCO EBX versions 6.0.11 and below: update to version 6.0.12 or later\nTIBCO Product and Service Catalog powered by TIBCO EBX versions 1.2.0 and below: update to version 1.2.1 or later"
}
],
"source": {
"discovery": ""
},
"title": "TIBCO EBX Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2022-41565",
"datePublished": "2023-02-22T00:00:00",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-08-03T12:49:43.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41567 (GCVE-0-2022-41567)
Vulnerability from cvelistv5 – Published: 2023-02-22 00:00 – Updated: 2025-03-12 15:03
VLAI?
Summary
The BusinessConnect UI component of TIBCO Software Inc.'s TIBCO BusinessConnect contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a cross-site scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect: versions 7.3.0 and below.
Severity ?
7.3 (High)
CWE
- Successful execution of this attack could result in the ability to perform actions within the context of another user including reading, updating, inserting, or deleting data accessible to TIBCO BusinessConnect.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO BusinessConnect |
Affected:
unspecified , ≤ 7.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:41.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T15:03:03.006804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T15:03:44.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TIBCO BusinessConnect",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "7.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The BusinessConnect UI component of TIBCO Software Inc.\u0027s TIBCO BusinessConnect contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a cross-site scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO BusinessConnect: versions 7.3.0 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Successful execution of this attack could result in the ability to perform actions within the context of another user including reading, updating, inserting, or deleting data accessible to TIBCO BusinessConnect.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect versions 7.3.0 and below: update to version 7.3.1 or later"
}
],
"source": {
"discovery": ""
},
"title": "TIBCO BusinessConnect Stored XSS Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2022-41567",
"datePublished": "2023-02-22T00:00:00.000Z",
"dateReserved": "2022-09-26T00:00:00.000Z",
"dateUpdated": "2025-03-12T15:03:44.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41564 (GCVE-0-2022-41564)
Vulnerability from cvelistv5 – Published: 2023-02-14 00:00 – Updated: 2025-03-20 20:41
VLAI?
Summary
The Hawk Console component of TIBCO Software Inc.'s TIBCO Hawk and TIBCO Operational Intelligence Hawk RedTail contains a vulnerability that will return the EMS transport password and EMS SSL password to a privileged user. Affected releases are TIBCO Software Inc.'s TIBCO Hawk: versions 6.1.0 through 6.2.1 and TIBCO Operational Intelligence Hawk RedTail: versions 7.0.0 through 7.2.0.
Severity ?
6.8 (Medium)
CWE
- The impact of this vulnerability includes the theoretical possibility of an authenticated Hawk Console user gaining administrative access to the EMS server.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO Hawk |
Affected:
unspecified , ≤ 6.2.1
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T20:41:14.840115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T20:41:27.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TIBCO Hawk",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "6.2.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO Operational Intelligence Hawk RedTail",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "7.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Hawk Console component of TIBCO Software Inc.\u0027s TIBCO Hawk and TIBCO Operational Intelligence Hawk RedTail contains a vulnerability that will return the EMS transport password and EMS SSL password to a privileged user. Affected releases are TIBCO Software Inc.\u0027s TIBCO Hawk: versions 6.1.0 through 6.2.1 and TIBCO Operational Intelligence Hawk RedTail: versions 7.0.0 through 7.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The impact of this vulnerability includes the theoretical possibility of an authenticated Hawk Console user gaining administrative access to the EMS server.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Hawk versions 6.1.0 through 6.2.1: update to version 6.2.2 or later\nTIBCO Operational Intelligence Hawk RedTail versions 7.0.0 through 7.2.0: update to version 7.2.1 or later"
}
],
"source": {
"discovery": ""
},
"title": "TIBCO Operational Intelligence Hawk Redtail Credential Exposure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2022-41564",
"datePublished": "2023-02-14T00:00:00.000Z",
"dateReserved": "2022-09-26T00:00:00.000Z",
"dateUpdated": "2025-03-20T20:41:27.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41562 (GCVE-0-2022-41562)
Vulnerability from cvelistv5 – Published: 2022-12-15 03:44 – Updated: 2024-09-16 22:01
VLAI?
Summary
The HTML escaping component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for Microsoft Azure, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows a privileged/administrative attacker with network access to execute an XSS attack on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 8.0.2 and below, TIBCO JasperReports Server: version 8.1.0, TIBCO JasperReports Server - Community Edition: versions 8.1.0 and below, TIBCO JasperReports Server - Developer Edition: versions 8.1.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.2 and below, TIBCO JasperReports Server for AWS Marketplace: version 8.1.0, TIBCO JasperReports Server for Microsoft Azure: versions 8.0.2 and below, and TIBCO JasperReports Server for Microsoft Azure: version 8.1.0.
Severity ?
8.4 (High)
CWE
- Successful execution of this vulnerability can result in unauthorized read, update, insert or delete access to JasperReports Server and hang or frequently repeatable crash (complete DOS) of the affected system. This vulnerability can allow the attacker to exploit associated resources other than the affected system.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TIBCO Software Inc. | TIBCO JasperReports Server |
Affected:
unspecified , ≤ 8.0.2
(custom)
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:41.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/services/support/advisories"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tibco.com/support/advisories/2022/12/tibco-security-advisory-december-13-2022-tibco-jasperreports-server-cve-2022-41562"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TIBCO JasperReports Server",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO JasperReports Server",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "TIBCO JasperReports Server - Community Edition",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO JasperReports Server - Developer Edition",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO JasperReports Server for AWS Marketplace",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO JasperReports Server for AWS Marketplace",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "TIBCO JasperReports Server for Microsoft Azure",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "TIBCO JasperReports Server for Microsoft Azure",
"vendor": "TIBCO Software Inc.",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
}
],
"datePublic": "2022-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HTML escaping component of TIBCO Software Inc.\u0027s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for Microsoft Azure, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows a privileged/administrative attacker with network access to execute an XSS attack on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\u0027s TIBCO JasperReports Server: versions 8.0.2 and below, TIBCO JasperReports Server: version 8.1.0, TIBCO JasperReports Server - Community Edition: versions 8.1.0 and below, TIBCO JasperReports Server - Developer Edition: versions 8.1.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.2 and below, TIBCO JasperReports Server for AWS Marketplace: version 8.1.0, TIBCO JasperReports Server for Microsoft Azure: versions 8.0.2 and below, and TIBCO JasperReports Server for Microsoft Azure: version 8.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Successful execution of this vulnerability can result in unauthorized read, update, insert or delete access to JasperReports Server and hang or frequently repeatable crash (complete DOS) of the affected system. This vulnerability can allow the attacker to exploit associated resources other than the affected system.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://www.tibco.com/services/support/advisories"
},
{
"url": "https://www.tibco.com/support/advisories/2022/12/tibco-security-advisory-december-13-2022-tibco-jasperreports-server-cve-2022-41562"
}
],
"solutions": [
{
"lang": "en",
"value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO JasperReports Server versions 8.0.2 and below: update to version 8.0.3 or later\nTIBCO JasperReports Server version 8.1.0: update to version 8.1.1 or later\nTIBCO JasperReports Server - Community Edition versions 8.1.0 and below: update to version 8.1.1 or later\nTIBCO JasperReports Server - Developer Edition versions 8.1.0 and below: update to version 8.1.1 or later\nTIBCO JasperReports Server for AWS Marketplace versions 8.0.2 and below: update to version 8.0.3 or later\nTIBCO JasperReports Server for AWS Marketplace version 8.1.0: update to version 8.1.1 or later\nTIBCO JasperReports Server for Microsoft Azure versions 8.0.2 and below: update to version 8.0.3 or later\nTIBCO JasperReports Server for Microsoft Azure version 8.1.0: update to version 8.1.1 or later"
}
],
"source": {
"discovery": ""
},
"title": "TIBCO JasperReports Server XSS Issue on Roles"
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2022-41562",
"datePublished": "2022-12-15T03:44:03.964951Z",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-09-16T22:01:43.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}