CVE-2016-7033
bpms: stored XSS in dashbuilder
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Múltiples vulnerabilidades de XSS en las páginas de admin en dashbuilder en Red Hat JBoss BPM Suite 6.3.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados.
JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via dashbuilder. Remote, authenticated attackers that have privileges to access dashbuilder (usually admins) can store scripts in several editable fields, which are not properly sanitized before showing to other users, including other admins.
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.1 serves as a replacement for Red Hat JBoss BPM Suite 6.4.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Multiple security issues have been addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-23 CVE Reserved
- 2016-09-07 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/92762 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2017-0249.html | 2018-01-05 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1373344 | 2017-02-02 | |
https://access.redhat.com/security/cve/CVE-2016-7033 | 2017-02-02 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Bpm Suite Search vendor "Redhat" for product "Jboss Bpm Suite" | 6.3.2 Search vendor "Redhat" for product "Jboss Bpm Suite" and version "6.3.2" | - |
Affected
|