Red Hat JBoss BRMS and BPM Suite CVE-2017-2674 HTML Injection Vulnerability

Red Hat JBoss BRMS and BPM Suite are prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Information

Bugtraq ID: 98390
Class: Input Validation Error
CVE: CVE-2017-2674

Remote: Yes
Local: No
Published: Feb 10 2017 12:00AM
Updated: May 11 2017 08:08AM
Credit: Chris Hebert, Vikas Pandey, Harold Schliesske, Ryan Stanley (Noblis)
Vulnerable: Redhat JBoss BRMS 6.0
Redhat Jboss Bpm Suite 6.0.0

Not Vulnerable: Redhat JBoss BRMS 6.4.3
Redhat Jboss Bpm Suite 6.4.3

Exploit

An attacker can exploit the issue by enticing an unsuspecting user to visit a specially crafted URL.

References:

• Red Hat Homepage (Red Hat)
  
• Bug 1439819 - (CVE-2017-2674) CVE-2017-2674 business-central: Multiple stored XS (Redhat)
  
• RHSA-2017:1217-1: Red Hat JBoss BRMS security update (Redhat)
  
• RHSA-2017:1218-1: Red Hat JBoss BPM Suite security update (Redhat)
  

Source: www.securityfocus.com