CVE-2020-9416

TIBCO Spotfire Stored Cross Site Scripting Vulnerability

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a legitimate user to inject scripts. If executed by a victim authenticated to the affected system these scripts will be executed at the privileges of the victim. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1, TIBCO Spotfire Desktop: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, and TIBCO Spotfire Server: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1.

El componente cliente Spotfire de TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform para AWS Marketplace, TIBCO Spotfire Desktop y TIBCO Spotfire Server; de TIBCO Software Inc, contiene una vulnerabilidad que teóricamente permite a un usuario legítimo inyectar scripts. Si los ejecuta una víctima autenticada en el sistema afectado, estos scripts serán ejecutados con los privilegios de la víctima. Las versiones afectadas son TIBCO Spotfire Analyst: versiones 10.7.0, 10.8.0, 10.9.0 y 10.10.0, TIBCO Spotfire Analytics Platform para AWS Marketplace: versiones 10.7.0, 10.8.0, 10.8. 1, 10.9.0, 10.10.0 y 10.10.1, TIBCO Spotfire Desktop: versiones 10.7.0, 10.8.0, 10.9.0 y 10.10.0, y TIBCO Spotfire Server: versiones 10.7.0, 10.8.0 , 10.8.1, 10.9.0, 10.10.0 y 10.10.1; de TIBCO Software Inc

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-26 CVE Reserved
2020-09-15 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://www.tibco.com/services/support/advisories	2023-11-07
https://www.tibco.com/support/advisories/2020/09/tibco-security-advisory-september-15-2020-tibco-spotfire	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tibco Search vendor "Tibco"		Spotfire Analyst Search vendor "Tibco" for product "Spotfire Analyst"				10.7.0 Search vendor "Tibco" for product "Spotfire Analyst" and version "10.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Analyst Search vendor "Tibco" for product "Spotfire Analyst"				10.8.0 Search vendor "Tibco" for product "Spotfire Analyst" and version "10.8.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Analyst Search vendor "Tibco" for product "Spotfire Analyst"				10.9.0 Search vendor "Tibco" for product "Spotfire Analyst" and version "10.9.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Analyst Search vendor "Tibco" for product "Spotfire Analyst"				10.10.0 Search vendor "Tibco" for product "Spotfire Analyst" and version "10.10.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.7.0 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.7.0"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.8.0 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.8.0"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.8.1 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.8.1"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.9.0 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.9.0"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.10.0 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.10.0"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Analytics Platform Search vendor "Tibco" for product "Spotfire Analytics Platform"				10.10.1 Search vendor "Tibco" for product "Spotfire Analytics Platform" and version "10.10.1"		aws_marketplace		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				10.7.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "10.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				10.8.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "10.8.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				10.9.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "10.9.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				10.10.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "10.10.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.7.0 Search vendor "Tibco" for product "Spotfire Server" and version "10.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.8.0 Search vendor "Tibco" for product "Spotfire Server" and version "10.8.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.8.1 Search vendor "Tibco" for product "Spotfire Server" and version "10.8.1"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.9.0 Search vendor "Tibco" for product "Spotfire Server" and version "10.9.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.10.0 Search vendor "Tibco" for product "Spotfire Server" and version "10.10.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Server Search vendor "Tibco" for product "Spotfire Server"				10.10.1 Search vendor "Tibco" for product "Spotfire Server" and version "10.10.1"		-		Affected