Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-2674

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Published

2018-07-27T18:29:01.237

Last Modified

2024-11-21T03:23:57.243

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	jboss_bpm_suite	< 6.4.3	Yes

References

http://www.securityfocus.com/bid/98390 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2017:1217 Broken Link, Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:1218 Broken Link, Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2674 Issue Tracking, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/98390 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:1217 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:1218 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2674 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)