CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2017-5530 – SAML protocol handling errors in tibbr
https://notcve.org/view.php?id=CVE-2017-5530
The tibbr web server components of tibbr Community, and tibbr Enterprise contain SAML protocol handling errors which may allow authorized users to impersonate other users, and therefore escalate their access privileges. Affected releases are tibbr Community 5.2.1 and below; 6.0.0; 6.0.1; 7.0.0, tibbr Enterprise 5.2.1 and below; 6.0.0; 6.0.1; 7.0.0. Los componentes tibbr web server de tibbr Community y tibbr Enterprise contienen errores de manipulación de protocolo SAML que podrían permitir que usuarios autorizados suplanten a otros usuarios y, por lo tanto, escalen privilegios. Las versiones afectadas son tibbr Community 5.2.1 y anteriores; 6.0.0; 6.0.1; 7.0.0, tibbr Enterprise 5.2.1 y anteriores; 6.0.0; 6.0.1; 7.0.0. • https://www.tibco.com/support/advisories/2017/12/tibco-security-advisory-december-12-2017-tibbr-2017-5530 •
CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2017-5534 – Improper sandboxing of a third-party component in tibbr
https://notcve.org/view.php?id=CVE-2017-5534
The tibbr user profiles components of tibbr Community, and tibbr Enterprise expose a weakness in an improperly sandboxed third-party component. Affected releases are TIBCO Software Inc. tibbr Community 5.2.1 and below; 6.0.0; 6.0.1; 7.0.0, tibbr Enterprise 5.2.1 and below; 6.0.0; 6.0.1; 7.0.0. Los componentes tibbr user profiles de tibbr Community y tibbr Enterprise exponen una debilidad en un componente de terceros incorrectamente analizado en un sandbox. Las versiones afectadas son TIBCO Software Inc. tibbr Community 5.2.1 y anteriores; 6.0.0; 6.0.1; 7.0.0, tibbr Enterprise 5.2.1 y anteriores; 6.0.0; 6.0.1; 7.0.0. • https://www.tibco.com/support/advisories/2017/12/tibco-security-advisory-december-12-2017-tibbr-2017-5534 •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-16789
https://notcve.org/view.php?id=CVE-2017-16789
Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS 3 before 3.2.0 Hotfix 7, as used in TIBCO BusinessWorks Process Monitor through 3.0.1.3 and other products, allows remote authenticated administrators to inject arbitrary web script or HTML via the users management panel of the web interface. Vulnerabilidad de Cross-Site Scripting (XSS) en Integration Matters nJAMS 3 en versiones anteriores a la 3.2.0 Hotfix 7, tal y como se usa en TIBCO BusinessWorks Process Monitor hasta la versión 3.0.1.3 y otros productos, permite que administradores remotos autenticados inyecten scripts web o HTML arbitrarios mediante el panel de gestión de usuarios de la interfaz web. • https://pastebin.com/AxvP1v2Z https://www.integrationmatters.com/cms/upload/Resources/nJAMS_SecurityUpdate_CVE-2017-16789.pdf https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_njams3_-_cve-2017-16789.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2017-5533 – TIBCO JasperReports Server credentials disclosure
https://notcve.org/view.php?id=CVE-2017-5533
A vulnerability in the server content cache of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which fails to prevent remote access to all the contents of the web application, including key configuration files. Affected releases are TIBCO JasperReports Server 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0. Una vulnerabilidad en la caché de contenido del servidor de TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy y TIBCO Jaspersoft Reporting and Analytics for AWS contiene una vulnerabilidad que fracasa a la hora de evitar el acceso remoto a todos los contenidos de la aplicación web, incluyendo archivos clave de configuración. Las versiones afectadas son TIBCO JasperReports Server 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 y TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/101878 http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html •
CVSS: 5.4EPSS: 0%CPEs: 22EXPL: 0CVE-2017-5532 – TIBCO JasperReports persistent cross site scripting
https://notcve.org/view.php?id=CVE-2017-5532
A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below. Una vulnerabilidad en el componente de renderización de informes en TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio y TIBCO Jaspersoft Studio for ActiveMatrix BPM podría permitir que un subconjunto de usuarios autorizados lleve a cabo ataques de Cross-Site Scripting (XSS) persistente. Las versiones afectadas son TIBCO JasperReports Server 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 y anteriores, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 y anteriores, TIBCO JasperReports Library 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 y anteriores, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 y anteriores, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 y anteriores, TIBCO Jaspersoft Studio 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0 y TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 y anteriores. • http://www.securityfocus.com/bid/101873 https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •