Versio.io

CVE-2020-9410

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 20-05-2020 03:15
Last modified: - 28-04-2022 09:30
Total changes: - 3

Description

The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
High
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
Required
User interaction
8.8
Base score
2.8
5.9
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=tibco AND product=jasperreports_library AND target_software=- AND versionEndIncluding=7.1.1
vendor=tibco AND product=jasperreports_library AND target_software=activematrix_bpm AND versionEndIncluding=7.1.1
vendor=tibco AND product=jasperreports_library AND version=7.2.0
vendor=tibco AND product=jasperreports_library AND version=7.2.1
vendor=tibco AND product=jasperreports_library AND version=7.3.0
vendor=tibco AND product=jasperreports_library AND version=7.5.0
vendor=tibco AND product=jasperreports_server AND target_software=- AND versionEndIncluding=7.1.1
vendor=tibco AND product=jasperreports_server AND target_software=activematrix_bpm AND versionEndIncluding=7.1.1
vendor=tibco AND product=jasperreports_server AND version=7.2.0
vendor=tibco AND product=jasperreports_server AND version=7.5.0
vendor=tibco AND product=jasperreports_server AND target_software=aws_marketplace AND versionEndIncluding=7.5.0
OR
vendor=oracle AND product=retail_order_broker AND version=15.0
vendor=oracle AND product=retail_order_broker AND version=16.0
 

Reference

 


Keywords

NVD

 

CVE-2020-9410

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.