CVE-2017-7463 – business-central: Reflected XSS in artifact upload error message
https://notcve.org/view.php?id=CVE-2017-7463
JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user. JBoss BRMS 6 y BPM Suite 6 en versiones anteriores a la 6.4.3 son vulnerables a un Cross-Site Scripting (XSS) reflejado a través de la carga de artefactos. Un archivo XML mal formado, si se carga, provoca que aparezca un mensaje de error que incluye parte del código XML incorrecto verbatim sin filtrar los scripts. • http://www.securityfocus.com/bid/98385 https://access.redhat.com/errata/RHSA-2017:1217 https://access.redhat.com/errata/RHSA-2017:1218 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463 https://access.redhat.com/security/cve/CVE-2017-7463 https://bugzilla.redhat.com/show_bug.cgi?id=1439823 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-2674 – business-central: Multiple stored XSS in task and process filters
https://notcve.org/view.php?id=CVE-2017-2674
JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins. JBoss BRMS 6 y BPM Suite 6 en versiones anteriores a la 6.4.3 son vulnerables a un Cross-Site Scripting (XSS) persistente a través de varias listas en Business Central. La vulnerabilidad se debe a la falta de saneamiento de las entradas de los usuarios al crear nuevas listas. • http://www.securityfocus.com/bid/98390 https://access.redhat.com/errata/RHSA-2017:1217 https://access.redhat.com/errata/RHSA-2017:1218 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2674 https://access.redhat.com/security/cve/CVE-2017-2674 https://bugzilla.redhat.com/show_bug.cgi?id=1439819 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6343 – Dashbuilder: Reflected XSS
https://notcve.org/view.php?id=CVE-2016-6343
JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user. JBoss BPM Suite 6 es vulnerable a Cross-Site Scripting (XSS) reflejado mediante dashbuilder. Los atacantes remotos pueden engañar a los usuarios autenticados con privilegios de acceso a dashbuilder (normalmente, los administradores) para que hagan clic en enlaces a /dashbuilder/Controller que contienen scripts maliciosos. su explotación con éxito podría permitir la ejecución de código script en el contexto del usuario afectado. • http://rhn.redhat.com/errata/RHSA-2017-0557.html http://www.securityfocus.com/bid/96987 https://access.redhat.com/errata/RHSA-2018:0296 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6343 https://access.redhat.com/security/cve/CVE-2016-6343 https://bugzilla.redhat.com/show_bug.cgi?id=1371801 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-2658 – Dashbuilder: Lack of clickjacking protection on the login page
https://notcve.org/view.php?id=CVE-2017-2658
It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). Se ha descubierto que la página de inicio de sesión de Dashbuilder tal y como se utilizaba en Red Hat JBoss BPM Suite en versiones anteriores a la 6.4.2 y en Red Hat JBoss Data Virtualization Services en versiones anteriores a la 6.4.3 podía abrirse en un IFRAME, lo que permitía interceptar y manipular las solicitudes. Un atacante podría usar este defecto para engañar a un usuario para que realice acciones arbitrarias en la consola (clickjacking). It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. • http://rhn.redhat.com/errata/RHSA-2017-0557.html http://www.securityfocus.com/bid/97025 https://access.redhat.com/errata/RHSA-2018:2243 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658 https://access.redhat.com/security/cve/CVE-2017-2658 https://bugzilla.redhat.com/show_bug.cgi?id=1433087 • CWE-20: Improper Input Validation •
CVE-2016-5398 – stored XSS in JBoss BPM suite business process editor
https://notcve.org/view.php?id=CVE-2016-5398
Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes. Vulnerabilidad de XSS en Business Process Editor en Red Hat JBoss BPM Suite en versiones anteriores a 6.3.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios apalancando los permisos para crear procesos de negocio. A security flaw was found in the way Business Process Editor displays the business process details to the user. A remote authenticated attacker with privilege to create business processes could use this flaw to conduct stored XSS attacks against other users. • http://rhn.redhat.com/errata/RHSA-2016-1968.html http://rhn.redhat.com/errata/RHSA-2016-1969.html http://www.securityfocus.com/bid/93219 https://bugzilla.redhat.com/show_bug.cgi?id=1358523 https://access.redhat.com/security/cve/CVE-2016-5398 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •