Multiple TIBCO Products CVE-2014-2542 Multiple HTML Injection Vulnerabilities

Multiple TIBCO Products are prone to a multiple HTML-injection vulnerabilities because they fail to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.

The following products are affected:

TIBCO JasperReports Server 6.2.3 and prior
TIBCO JasperReports Server 6.3.0, 6.3.1, and 6.3.2
TIBCO JasperReports Server 6.4.0
TIBCO JasperReports Server Community Edition 6.4.0 and prior
TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and prior
TIBCO JasperReports Library 6.2.3 and prior
TIBCO JasperReports Library 6.3.0, 6.3.1, and 6.3.2
TIBCO JasperReports Library 6.4.0, and 6.4.1
TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and prior
TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and prior
TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and prior
TIBCO Jaspersoft Studio 6.2.3 and prior
TIBCO Jaspersoft Studio 6.3.0, 6.3.1, and 6.3.2
TIBCO Jaspersoft Studio 6.4.0
TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and prior

Information

Bugtraq ID: 101873
Class: Input Validation Error
CVE: CVE-2017-5532

Remote: Yes
Local: No
Published: Nov 15 2017 12:00AM
Updated: Nov 17 2017 07:07PM
Credit: The vendor reported this issue.
Vulnerable: TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4
TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.2
TIBCO Jaspersoft Studio 6.4
TIBCO Jaspersoft Studio 6.3.2
TIBCO Jaspersoft Studio 6.3.1
TIBCO Jaspersoft Studio 6.3
TIBCO Jaspersoft Studio 6.2.3
TIBCO Jaspersoft Reporting and Analytics for AWS 6.4
TIBCO Jaspersoft Reporting and Analytics for AWS 6.3
TIBCO Jaspersoft Reporting and Analytics for AWS 6.1
TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4
TIBCO Jaspersoft for AWS with Multi-Tenancy 6.3
TIBCO Jaspersoft for AWS with Multi-Tenancy 6.1
TIBCO JasperReports Studio 6.4
TIBCO JasperReports Studio 6.3.2
TIBCO JasperReports Studio 6.3
TIBCO JasperReports Studio 6.2.3
TIBCO JasperReports Server for ActiveMatrix BPM 6.4
TIBCO JasperReports Server for ActiveMatrix BPM 6.2
TIBCO JasperReports Server for ActiveMatrix BPM 6.1.1
TIBCO JasperReports Server for ActiveMatrix BPM 5.6.1
TIBCO JasperReports Server Community Edition 6.4
TIBCO JasperReports Server Community Edition 6.3
TIBCO JasperReports Server Community Edition 6.2
TIBCO JasperReports Server Community Edition 6.1
TIBCO JasperReports Server Community Edition 6.0.1
TIBCO JasperReports Server Community Edition 5.6
TIBCO JasperReports Server Community Edition 5.5
TIBCO JasperReports Server Community Edition 5.2
TIBCO JasperReports Server Community Edition 4.2.1
TIBCO JasperReports Server Community Edition 3.7
TIBCO JasperReports Server 6.4
TIBCO JasperReports Server 6.3.2
TIBCO JasperReports Server 6.3.1
TIBCO JasperReports Server 6.3
TIBCO JasperReports Server 6.2.3
TIBCO JasperReports Server 6.2.1
TIBCO JasperReports Server 6.2
TIBCO JasperReports Server 6.1.2
TIBCO JasperReports Server 6.1.1
TIBCO JasperReports Server 6.1
TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1
TIBCO JasperReports Library for ActiveMatrix BPM 6.2
TIBCO JasperReports Library for ActiveMatrix BPM 6.1
TIBCO JasperReports Library for ActiveMatrix BPM 6.0
TIBCO JasperReports Library for ActiveMatrix BPM 5.6
TIBCO JasperReports Library for ActiveMatrix BPM 5.5
TIBCO JasperReports Library for ActiveMatrix BPM 5.2
TIBCO JasperReports Library for ActiveMatrix BPM 5.0
TIBCO JasperReports Library for ActiveMatrix BPM 4.7
TIBCO JasperReports Library for ActiveMatrix BPM 4.5
TIBCO JasperReports Library for ActiveMatrix BPM 4.2
TIBCO JasperReports Library for ActiveMatrix BPM 4.1
TIBCO JasperReports Library for ActiveMatrix BPM 4.0
TIBCO JasperReports Library for ActiveMatrix BPM 3.7
TIBCO JasperReports Library 6.4.1
TIBCO JasperReports Library 6.4
TIBCO JasperReports Library 6.3.2
TIBCO JasperReports Library 6.3.1
TIBCO JasperReports Library 6.3
TIBCO JasperReports Library 6.2.3
TIBCO Jasper Reports Library 6.3.1

Not Vulnerable: TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.2
TIBCO Jaspersoft Studio 6.4.2
TIBCO Jaspersoft Studio 6.3.3
TIBCO Jaspersoft Studio 6.2.4
TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.2
TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.2
TIBCO JasperReports Studio 6.4.2
TIBCO JasperReports Studio 6.3.3
TIBCO JasperReports Studio 6.2.4
TIBCO JasperReports Server for ActiveMatrix BPM 6.4.2
TIBCO JasperReports Server Community Edition 6.4.2
TIBCO JasperReports Server 6.4.2
TIBCO JasperReports Server 6.3.3
TIBCO JasperReports Server 6.2.4
TIBCO JasperReports Library for ActiveMatrix BPM 6.4.2
TIBCO JasperReports Library 6.4.2
TIBCO JasperReports Library 6.3.3
TIBCO JasperReports Library 6.2.4

Exploit

Attackers can exploit these issue by enticing an unsuspecting victim into following a malicious URI.

References:

TIBCO Homepage (TIBCO)
TIBCO Security Advisory: November 15, 2017 - TIBCO JasperReports Server - 2017-5 (tibco)

Source: www.securityfocus.com

Exploit Collector

Search Exploit