Vulnerability-Lookup

CVE-2017-5528 (GCVE-0-2017-5528)

Vulnerability from cvelistv5 – Published: 2017-06-29 14:00 – Updated: 2024-09-16 16:58

Title

TIBCO JasperReports Server cross-site vulnerabilities

Summary

Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).

Severity ?

5.7 (Medium)


                        
                          CVSS:3.0/A:N/AC:L/AV:N/C:H/I:N/PR:L/S:U/UI:R

CWE

Cross site scripting

Assigner

tibco

References

URL

Tags

https://www.tibco.com/support/advisories/2017/06/…

x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

TIBCO Software Inc.

TIBCO JasperReports Server

Affected: unspecified , ≤ 6.1.1 (custom)
Affected: 6.2.0
Affected: 6.2.1
Affected: 6.3.0

TIBCO Software Inc.	TIBCO JasperReports Server Community Edition	Affected: unspecified , ≤ 6.3.0 (custom)
TIBCO Software Inc.	TIBCO JasperReports Server for ActiveMatrix BPM	Affected: unspecified , ≤ 6.2.0 (custom)
TIBCO Software Inc.	TIBCO Jaspersoft for AWS with Multi-Tenancy	Affected: unspecified , ≤ 6.3.0 (custom)
TIBCO Software Inc.	TIBCO Jaspersoft Reporting and Analytics for AWS	Affected: unspecified , ≤ 6.3.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:04:14.869Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO JasperReports Server",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.1.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "6.2.0"
            },
            {
              "status": "affected",
              "version": "6.2.1"
            },
            {
              "status": "affected",
              "version": "6.3.0"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Server Community Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Server for ActiveMatrix BPM",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft Reporting and Analytics for AWS",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2017-06-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/A:N/AC:L/AV:N/C:H/I:N/PR:L/S:U/UI:R",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-06-29T14:57:01.000Z",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
        }
      ],
      "title": "TIBCO JasperReports Server cross-site vulnerabilities",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2017-06-28T09:00:00-07",
          "ID": "CVE-2017-5528",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO JasperReports Server cross-site vulnerabilities"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO JasperReports Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.1.1"
                          },
                          {
                            "version_value": "6.2.0"
                          },
                          {
                            "version_value": "6.2.1"
                          },
                          {
                            "version_value": "6.3.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Server Community Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.3.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Server for ActiveMatrix BPM",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.2.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.3.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft Reporting and Analytics for AWS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below)."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "L",
              "AV": "N",
              "C": "H",
              "I": "N",
              "PR": "L",
              "S": "U",
              "UI": "R"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross site scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017",
              "refsource": "CONFIRM",
              "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2017-5528",
    "datePublished": "2017-06-29T14:00:00.000Z",
    "dateReserved": "2017-01-19T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:58:24.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-899X-3FCR-8P3X

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-5528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-29T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).",
  "id": "GHSA-899x-3fcr-8p3x",
  "modified": "2022-05-13T01:06:17Z",
  "published": "2022-05-13T01:06:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5528"
    },
    {
      "type": "WEB",
      "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2017-5528

Vulnerability from fkie_nvd - Published: 2017-06-29 14:29 - Updated: 2025-04-20 01:37

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@tibco.com	https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017	Vendor Advisory

Impacted products

Vendor	Product	Version
tibco	jasperreports_server	*
tibco	jasperreports_server	6.2.0
tibco	jasperreports_server	6.2.1
tibco	jasperreports_server	6.3.0
tibco	jasperreports_server	*
tibco	jasperreports_server	*
tibco	jaspersoft	*
tibco	jaspersoft_reporting_and_analytics	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB779293-3B1E-4EFA-9949-194F50DF7829",
              "versionEndIncluding": "6.1.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.2.0:*:*:*:-:-:*:*",
              "matchCriteriaId": "992BFF82-BB2B-4208-B3AA-6C93F9154722",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.2.1:*:*:*:-:-:*:*",
              "matchCriteriaId": "672D50A6-5A35-494B-B6E0-C52E64DED77E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:-:-:*:*",
              "matchCriteriaId": "AF03FFD8-AD8E-4F8E-8D5D-0675850E87B9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "53588A16-9E0B-4B9D-80C6-E73406404F96",
              "versionEndIncluding": "6.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*",
              "matchCriteriaId": "196B8920-FCBC-401E-A09C-1023A7B29319",
              "versionEndIncluding": "6.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*",
              "matchCriteriaId": "FC9BE526-F462-46F7-A67A-8C46E5E7FBC5",
              "versionEndIncluding": "6.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*",
              "matchCriteriaId": "C3E68AF5-ED4C-4FEE-9B60-593033371DBB",
              "versionEndIncluding": "6.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below)."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples componentes JasperReports Server contienen vulnerabilidades que podr\u00edan permitir que usuarios autorizados realicen ataques de Cross-Site Scripting (XSS) y Cross-Site Request Forgery (CSRF).  El impacto de esta vulnerabilidad incluye la revelaci\u00f3n te\u00f3rica de informaci\u00f3n sensible.  Afecta a TIBCO JasperReports Server (versiones 6.1.1 y anteriores, 6.2.0, 6.2.1 y 6.3.0), TIBCO JasperReports Server Community Edition (versiones 6.3.0 y anteriores), TIBCO JasperReports Server for ActiveMatrix BPM (versiones 6.2.0 y anteriores), TIBCO Jaspersoft for AWS with Multi-Tenancy (versiones 6.2.0 y anteriores) y TIBCO Jaspersoft Reporting and Analytics for AWS (versiones 6.2.0 y anteriores)."
    }
  ],
  "id": "CVE-2017-5528",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security@tibco.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-06-29T14:29:00.180",
  "references": [
    {
      "source": "security@tibco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
    }
  ],
  "sourceIdentifier": "security@tibco.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2017-5528

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-5528

Aliases

CVE-2017-5528

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-5528",
    "description": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).",
    "id": "GSD-2017-5528"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-5528"
      ],
      "details": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).",
      "id": "GSD-2017-5528",
      "modified": "2023-12-13T01:21:13.373754Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@tibco.com",
        "DATE_PUBLIC": "2017-06-28T09:00:00-07",
        "ID": "CVE-2017-5528",
        "STATE": "PUBLIC",
        "TITLE": "TIBCO JasperReports Server cross-site vulnerabilities"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "TIBCO JasperReports Server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "6.1.1"
                        },
                        {
                          "version_value": "6.2.0"
                        },
                        {
                          "version_value": "6.2.1"
                        },
                        {
                          "version_value": "6.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "TIBCO JasperReports Server Community Edition",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "6.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "TIBCO JasperReports Server for ActiveMatrix BPM",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "6.2.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "6.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "TIBCO Jaspersoft Reporting and Analytics for AWS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "6.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "TIBCO Software Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below)."
          }
        ]
      },
      "impact": {
        "cvssv3": {
          "BM": {
            "A": "N",
            "AC": "L",
            "AV": "N",
            "C": "H",
            "I": "N",
            "PR": "L",
            "S": "U",
            "SCORE": "5.7",
            "UI": "R"
          }
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross site scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017",
            "refsource": "CONFIRM",
            "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.1.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:6.2.0:*:*:*:-:-:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:6.2.1:*:*:*:-:-:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:-:-:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "ID": "CVE-2017-5528"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  The impact of this vulnerability includes the theoretical disclosure of sensitive information.  Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-09-09T12:41Z",
      "publishedDate": "2017-06-29T14:29Z"
    }
  }
}

CNVD-2017-14025

Vulnerability from cnvd - Published: 2017-07-12

Title

多款TIBCO产品跨站脚本漏洞

Description

TIBCO JasperReports Server等都是美国TIBCO软件公司的产品。TIBCO JasperReports Server是一个报表生成编辑工具的服务器版，TIBCO JasperReports Server Community Edition是它的社区版。多款TIBCO产品中存在安全漏洞。攻击者可利用该漏洞获取信息。

Severity

中

Patch Name

多款TIBCO产品跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017

Reference

https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017

Impacted products

Name
['TIBCO JasperReports Server <=6.1.1', 'TIBCO JasperReports Server 6.2.0', 'TIBCO JasperReports Server 6.2.1', 'TIBCO JasperReports Server 6.3.0', 'TIBCO JasperReports Server Community Edition <=6.3.0', 'TIBCO JasperReports Server for ActiveMatrix BPM <=6.2.0', 'TIBCO Jaspersoft for AWS with Multi-Tenancy <=6.3.0', 'TIBCO Jaspersoft Reporting and Analytics for AWS <=6.3.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-5528",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528"
    }
  },
  "description": "TIBCO JasperReports Server\u7b49\u90fd\u662f\u7f8e\u56fdTIBCO\u8f6f\u4ef6\u516c\u53f8\u7684\u4ea7\u54c1\u3002TIBCO JasperReports Server\u662f\u4e00\u4e2a\u62a5\u8868\u751f\u6210\u7f16\u8f91\u5de5\u5177\u7684\u670d\u52a1\u5668\u7248\uff0cTIBCO JasperReports Server Community Edition\u662f\u5b83\u7684\u793e\u533a\u7248\u3002\r\n\r\n\u591a\u6b3eTIBCO\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002",
  "discovererName": "TIBCO",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-14025",
  "openTime": "2017-07-12",
  "patchDescription": "TIBCO JasperReports Server\u7b49\u90fd\u662f\u7f8e\u56fdTIBCO\u8f6f\u4ef6\u516c\u53f8\u7684\u4ea7\u54c1\u3002TIBCO JasperReports Server\u662f\u4e00\u4e2a\u62a5\u8868\u751f\u6210\u7f16\u8f91\u5de5\u5177\u7684\u670d\u52a1\u5668\u7248\uff0cTIBCO JasperReports Server Community Edition\u662f\u5b83\u7684\u793e\u533a\u7248\u3002\r\n\r\n\u591a\u6b3eTIBCO\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eTIBCO\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TIBCO JasperReports Server \u003c=6.1.1",
      "TIBCO JasperReports Server  6.2.0",
      "TIBCO JasperReports Server  6.2.1",
      "TIBCO JasperReports Server  6.3.0",
      "TIBCO JasperReports Server Community Edition \u003c=6.3.0",
      "TIBCO JasperReports Server for ActiveMatrix BPM \u003c=6.2.0",
      "TIBCO Jaspersoft for AWS with Multi-Tenancy \u003c=6.3.0",
      "TIBCO Jaspersoft Reporting and Analytics for AWS \u003c=6.3.0"
    ]
  },
  "referenceLink": "https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017",
  "serverity": "\u4e2d",
  "submitTime": "2017-07-03",
  "title": "\u591a\u6b3eTIBCO\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-5528 (GCVE-0-2017-5528)

GHSA-899X-3FCR-8P3X

FKIE_CVE-2017-5528

GSD-2017-5528

CNVD-2017-14025

Tags

Sightings

Nomenclature