Red Hat JBoss BRMS and BPM Suite CVE-2017-2674 HTML Injection Vulnerability

Red Hat JBoss BRMS and BPM Suite are prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.


Bugtraq ID: 98390
Class: Input Validation Error
CVE: CVE-2017-2674

Remote: Yes
Local: No
Published: Feb 10 2017 12:00AM
Updated: May 11 2017 08:08AM
Credit: Chris Hebert, Vikas Pandey, Harold Schliesske, Ryan Stanley (Noblis)
Vulnerable: Redhat JBoss BRMS 6.0
Redhat Jboss Bpm Suite 6.0.0

Not Vulnerable: Redhat JBoss BRMS 6.4.3
Redhat Jboss Bpm Suite 6.4.3


An attacker can exploit the issue by enticing an unsuspecting user to visit a specially crafted URL.

Related Posts