CVE-2017-5532

TIBCO JasperReports persistent cross site scripting

Severity Score

5.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below.

Una vulnerabilidad en el componente de renderización de informes en TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio y TIBCO Jaspersoft Studio for ActiveMatrix BPM podría permitir que un subconjunto de usuarios autorizados lleve a cabo ataques de Cross-Site Scripting (XSS) persistente. Las versiones afectadas son TIBCO JasperReports Server 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 y anteriores, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 y anteriores, TIBCO JasperReports Library 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 y anteriores, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 y anteriores, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 y anteriores, TIBCO Jaspersoft Studio 6.2.3 y anteriores; 6.3.0; 6.3.1; 6.3.2; 6.4.0 y TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 y anteriores.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-01-19 CVE Reserved
2017-11-15 CVE Published
2023-09-25 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/101873	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				<= 6.2.3 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 6.2.3"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				6.3.0 Search vendor "Tibco" for product "Jasperreports Server" and version "6.3.0"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				6.3.1 Search vendor "Tibco" for product "Jasperreports Server" and version "6.3.1"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				6.3.2 Search vendor "Tibco" for product "Jasperreports Server" and version "6.3.2"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				6.4.0 Search vendor "Tibco" for product "Jasperreports Server" and version "6.4.0"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				<= 6.4.0 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 6.4.0"		community		Affected
Tibco Search vendor "Tibco"		Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server"				<= 6.4.0 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 6.4.0"		activematrix_bpm		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				<= 6.2.3 Search vendor "Tibco" for product "Jasperreports Library" and version " <= 6.2.3"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				6.3.0 Search vendor "Tibco" for product "Jasperreports Library" and version "6.3.0"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				6.3.1 Search vendor "Tibco" for product "Jasperreports Library" and version "6.3.1"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				6.3.2 Search vendor "Tibco" for product "Jasperreports Library" and version "6.3.2"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				6.4.0 Search vendor "Tibco" for product "Jasperreports Library" and version "6.4.0"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				6.4.1 Search vendor "Tibco" for product "Jasperreports Library" and version "6.4.1"		-		Affected
Tibco Search vendor "Tibco"		Jasperreports Library Search vendor "Tibco" for product "Jasperreports Library"				<= 6.4.1 Search vendor "Tibco" for product "Jasperreports Library" and version " <= 6.4.1"		activematrix_bpm		Affected
Tibco Search vendor "Tibco"		Jaspersoft Search vendor "Tibco" for product "Jaspersoft"				<= 6.4.0 Search vendor "Tibco" for product "Jaspersoft" and version " <= 6.4.0"		aws_with_multi-tenancy		Affected
Tibco Search vendor "Tibco"		Jaspersoft Reporting And Analytics Search vendor "Tibco" for product "Jaspersoft Reporting And Analytics"				<= 6.4.0 Search vendor "Tibco" for product "Jaspersoft Reporting And Analytics" and version " <= 6.4.0"		aws		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				<= 6.2.3 Search vendor "Tibco" for product "Jaspersoft Studio" and version " <= 6.2.3"		-		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				6.3.0 Search vendor "Tibco" for product "Jaspersoft Studio" and version "6.3.0"		-		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				6.3.1 Search vendor "Tibco" for product "Jaspersoft Studio" and version "6.3.1"		-		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				6.3.2 Search vendor "Tibco" for product "Jaspersoft Studio" and version "6.3.2"		-		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				6.4.0 Search vendor "Tibco" for product "Jaspersoft Studio" and version "6.4.0"		-		Affected
Tibco Search vendor "Tibco"		Jaspersoft Studio Search vendor "Tibco" for product "Jaspersoft Studio"				<= 6.4.0 Search vendor "Tibco" for product "Jaspersoft Studio" and version " <= 6.4.0"		activematrix_bpm		Affected