TIBCO ActiveMatrix BPM CVE-2019-8995 Open Redirection Vulnerability

TIBCO ActiveMatrix BPM is prone to an open-redirection vulnerability because it fails to properly validate user-supplied input.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
The following TIBCO ActiveMatrix BPM versions are vulnerable:
TIBCO ActiveMatrix BPM version 4.2.0 and prior are vulnerable
TIBCO Silver Fabric for ActiveMatrix BPM Distribution version 4.2.0 and prior are vulnerable
TIBCO Silver Fabric Enabler for ActiveMatrix BPM version 1.4.1 and prior are vulnerable

Information

Bugtraq ID: 108062
Class: Input Validation Error
CVE: CVE-2019-8995

Remote: Yes
Local: No
Published: Apr 24 2019 12:00AM
Updated: Apr 24 2019 12:00AM
Credit: TIBCO.
Vulnerable: TIBCO Silver Fabric for ActiveMatrix BPM Distribution 4.2
TIBCO Silver Fabric for ActiveMatrix BPM Distribution 4.1
TIBCO Silver Fabric Enabler for ActiveMatrix BPM 1.4.1
TIBCO Silver Fabric Enabler for ActiveMatrix BPM 1.4
TIBCO ActiveMatrix BPM 4.2
TIBCO ActiveMatrix BPM 1.3
TIBCO ActiveMatrix BPM 1.0.3
TIBCO ActiveMatrix BPM 1.0.2

Not Vulnerable: TIBCO Silver Fabric for ActiveMatrix BPM Distribution 4.3
TIBCO Silver Fabric Enabler for ActiveMatrix BPM 1.4.2
TIBCO ActiveMatrix BPM 4.3

Exploit

An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URL.

References:

• TIBCO Homepage (TIBCO)
  
• TIBCO Security Advisory: April 24, 2019 - TIBCO ActiveMatrix BPM - 2019-8995 (TIBCO)
  

Source: www.securityfocus.com