CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-3331 – Spotfire: NTLM token leakage
https://notcve.org/view.php?id=CVE-2024-3331
Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability depends on the privileges of the user running the affected software..This issue affects Spotfire Enterprise Runtime for R - Server Edition: from 1.12.7 through 1.20.0; Spotfire Statistics Services: from 12.0.7 through 12.3.1, from 14.0.0 through 14.3.0; Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0.0 through 14.3.0; Spotfire Desktop: from 14.0 through 14.3.0; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0.0 through 14.3.0. • https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3331-r3436 • CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2024-3330 – Spotfire Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-3330
Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker., In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process, In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services..This issue affects Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0 through 14.0.2; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0 through 14.0.3, from 14.2.0 through 14.3.0; Spotfire for AWS Marketplace: from 14.0 before 14.3.0. • https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3330-r3435 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 5.4EPSS: 0%CPEs: 29EXPL: 0CVE-2023-26220 – TIBCO Spotfire Stored Cross-site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-26220
The Spotfire Library component of TIBCO Software Inc.'s Spotfire Analyst and Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 11.4.7 and below, versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4, versions 12.1.0 and 12.1.1 and Spotfire Server: versions 11.4.11 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5, versions 12.1.0 and 12.1.1. • https://www.tibco.com/services/support/advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •