CVE-2017-5532 – TIBCO JasperReports persistent cross site scripting
https://notcve.org/view.php?id=CVE-2017-5532
A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below. Una vulnerabilidad en el componente de renderización de informes en TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio y TIBCO Jaspersoft Studio for ActiveMatrix BPM podría permitir que un subconjunto de usuarios autorizados lleve a cabo ataques de Cross-Site Scripting (XSS) persistente. Las versiones afectadas son TIBCO JasperReports Server 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 y anteriores, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 y anteriores, TIBCO JasperReports Library 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 y anteriores, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 y anteriores, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 y anteriores, TIBCO Jaspersoft Studio 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0 y TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 y anteriores. • http://www.securityfocus.com/bid/101873 https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-5528 – TIBCO JasperReports Server cross-site vulnerabilities
https://notcve.org/view.php?id=CVE-2017-5528
Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below). Múltiples componentes JasperReports Server contienen vulnerabilidades que podrían permitir que usuarios autorizados realicen ataques de Cross-Site Scripting (XSS) y Cross-Site Request Forgery (CSRF). El impacto de esta vulnerabilidad incluye la revelación teórica de información sensible. • https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-5529 – TIBCO JasperReports Library Information Disclosure
https://notcve.org/view.php?id=CVE-2017-5529
JasperReports library components contain an information disclosure vulnerability. This vulnerability includes the theoretical disclosure of any accessible information from the host file system. Affects TIBCO JasperReports Library Community Edition (versions 6.4.0 and below), TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO JasperReports Professional (versions 6.2.1 and below, and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below). Los componentes de la biblioteca JasperReports contienen una vulnerabilidad de divulgación de información. Esta vulnerabilidad incluye la divulgación, en teoría, de cualquier información accesible desde el sistema de archivos del host. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •