CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2018-18814 – TIBCO Spotfire Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2018-18814
The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, independent of configured authentication mechanisms. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0. El componente de autenticación TIBCO Spotfire de TIBCO Spotfire Analytics Platform for AWS Marketplace y TIBCO Spotfire Server, de TIBCO Software Inc., contiene una vulnerabilidad en el manejo de la autenticación que, en teoría, podría permitir que un atacante obtenga acceso total a una cuenta objetivo, independientemente de los mecanismos de autenticación configurados. • http://www.securityfocus.com/bid/106635 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18814 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-18812 – TIBCO Spotfire Fails To Prevent Write Access to Spotfire Library
https://notcve.org/view.php?id=CVE-2018-18812
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the Spotfire Library is configured to use external storage. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace versions up to and including 10.0.0, and TIBCO Spotfire Server versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0. El componente Spotfire Library de TIBCO Spotfire Analytics Platform for AWS Marketplace y TIBCO Spotfire Server, de TIBCO Software Inc., contiene una vulnerabilidad que, en teoría, podría hacer que no se restrinja a los usuarios con acceso de solo lectura la modificación de archivos almacenados en la biblioteca de Spotfire, solo cuando ésta está configurada para que emplee el almacenamiento externo. • http://www.securityfocus.com/bid/106635 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18812 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2018-18813 – TIBCO Spotfire Reflected and Persistent Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-18813
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0. El componente del servidor web Spotfire de TIBCO Spotfire Analytics Platform for AWS Marketplace y TIBCO Spotfire Server, de TIBCO Software Inc., contiene múltiples vulnerabilidades que podrían permitir ataques de Componente persistente y reflejado. • http://www.securityfocus.com/bid/106635 http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-5436 – TIBCO Spotfire Server information disclosure vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5436
The Spotfire server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contain multiple vulnerabilities that may allow for the disclosure of information, including user and data source credentials. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 7.12.0, TIBCO Spotfire Server: versions up to and including 7.8.1; 7.9.0; 7.10.0; 7.11.0; 7.12.0. El componente del servidor Spotfire de TIBCO Spotfire Analytics Platform for AWS Marketplace y TIBCO Spotfire Server, de TIBCO Software Inc., contiene múltiples vulnerabilidades que podrían permitir una divulgación de información, incluyendo las credenciales de usuario y de origen de datos. • http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5436 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-5527 – TIBCO Spotfire injection vulnerabilities
https://notcve.org/view.php?id=CVE-2017-5527
TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x before 7.6.1, 7.7.x before 7.7.1, and 7.8.x before 7.8.1 and Spotfire Analytics Platform for AWS Marketplace 7.8.0 and earlier contain multiple vulnerabilities which may allow authorized users to perform SQL injection attacks. Spotfire Server versiones 7.0.X y anteriores a 7.0.2, versiones 7.5.x y anteriores a 7.5.1, versiones 7.6.x y anteriores a 7.6.1, versiones 7.7.x y anteriores a 7.7.1, y las versiones 7.8.x y anteriores a 7.8.1, y Spotfire Analytics Platform versión 7.8.0 y anteriores, de TIBCO para AWS Marketplace, contienen varias vulnerabilidades que pueden permitir a los usuarios autorizados realizar ataques de inyección SQL. • http://www.securityfocus.com/bid/98398 http://www.tibco.com/support/advisories/2017/05/tibco-security-advisory-may-9-2017-tibco-spotfire-server • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •