CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-8988 – TIBCO Spotfire Data Science Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-8988
The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site contains a vulnerability that theoretically allows a user to escalate their privileges on the affected system, in a way that may allow for data modifications and deletions that should be denied. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. El componente del servidor de aplicaciones de TIBCO Data Science for AWS y TIBCO Spotfire Data Science, de TIBCO Software Inc., contiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente que, en teoría, permite que un usuario escale privilegios en el sistema afectado, de forma que permitiría modificar o eliminar datos, algo que debería estar prohibido. • http://www.securityfocus.com/bid/107593 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-26-2019-tibco-spotfire-data-science-2019-8988 •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2019-8987 – TIBCO Spotfire Data Science Vulnerable to Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8987
The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. El componente del servidor de la aplicación de TIBCO Data Science for AWS y TIBCO Spotfire Data Science, de TIBCO Software Inc., contiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente que, en teoría, permite que un usuario autenticado obtenga acceso a todas las funcionalidades de la interfaz web disponibles para los usuarios con más privilegios. • http://www.securityfocus.com/bid/107595 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-26-2019-tibco-spotfire-data-science-2019-8987 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2018-18815 – TIBCO JasperReports Server User Information Disclosure
https://notcve.org/view.php?id=CVE-2018-18815
The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. El componente REST API de TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy y TIBCO Jaspersoft Reporting and Analytics for AWS, de TIBCO Software Inc., contiene una vulnerabilidad que, teóricamente, permite a los usuarios no autenticados omitir las comprobaciones de autorización para segmentos de la interfaz HTTP en el servidor de JasperReports. • http://www.securityfocus.com/bid/107346 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815 https://www.zerodayinitiative.com/advisories/ZDI-19-305 • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2019-8986 – TIBCO JasperReports Server XML Entity Expansion Vulnerability
https://notcve.org/view.php?id=CVE-2019-8986
The SOAP API component vulnerability of TIBCO Software Inc.'s TIBCO JasperReports Server, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that may allow a malicious authenticated user to copy text files from the host operating system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3. La vulnerabilidad del API del componente SOAP de TIBCO JasperReports Server y TIBCO JasperReports Server for ActiveMatrix BPM de TIBCO Software Inc. contiene una vulnerabilidad que podría permitir a un usuario autenticado malicioso copiar archivos de texto desde el sistema operativo host. • http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-8986 •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2018-18808 – TIBCO JasperReports Server Privilege Escalation Via Race Condition
https://notcve.org/view.php?id=CVE-2018-18808
The domain management component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a race-condition vulnerability that may allow any users with domain save privileges to gain superuser privileges. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. El componente de gestión de dominios de TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy y TIBCO Jaspersoft Reporting and Analytics for AWS, de TIBCO Software Inc., contiene una vulnerabilidad de condición de carrera que podría permitir a los usuarios con permisos de guardado de dominio ganar privilegios de superusuario. • http://www.securityfocus.com/bid/107350 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18808 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •