// For flags

CVE-2016-8608

Stored XSS in business process editor

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.

JBoss BRMS 6 y BPM Suite 6 son vulnerables a Cross-Site Scripting (XSS) persistente mediante el editor de procesos de negocio. Este error existe debido a una soluciĆ³n incompleta para CVE-2016-5398. Los atacantes remotos autenticados que tienen privilegios para crear procesos de negocio pueden almacenar scripts en ellos, que no se sanean correctamente antes de mostrarlos a otros usuarios, incluyendo los administradores.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-10-12 CVE Reserved
  • 2016-11-29 CVE Published
  • 2023-07-26 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Jboss Bpm Suite
Search vendor "Redhat" for product "Jboss Bpm Suite"
6.0.0
Search vendor "Redhat" for product "Jboss Bpm Suite" and version "6.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Business Rules Management System
Search vendor "Redhat" for product "Jboss Business Rules Management System"
6.0.0
Search vendor "Redhat" for product "Jboss Business Rules Management System" and version "6.0.0"
-
Affected