TIBCO JasperReports persistent cross site scripting Original release date: November 15, 2017 Last revised: -- Source: TIBCO Software Inc. Systems Affected TIBCO JasperReports Server versions 6.2.3 and below TIBCO JasperReports Server versions 6.3.0, 6.3.1, and 6.3.2 TIBCO JasperReports Server version 6.4.0 TIBCO JasperReports Server Community Edition versions 6.4.0 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.0 and below TIBCO JasperReports Library versions 6.2.3 and below TIBCO JasperReports Library versions 6.3.0, 6.3.1, and 6.3.2 TIBCO JasperReports Library versions 6.4.0, and 6.4.1 TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.1 and below TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.0 and below TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.0 and below TIBCO Jaspersoft Studio versions 6.2.3 and below TIBCO Jaspersoft Studio versions 6.3.0, 6.3.1, and 6.3.2 TIBCO Jaspersoft Studio version 6.4.0 TIBCO Jaspersoft Studio for ActiveMatrix BPM versions 6.4.0 and below The following components are affected: * report renderer Description The JasperReports components listed above contain a vulnerability which may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Impact The impact of this vulnerability includes the possibility that a malicious user can gain access to a more privileged account. CVSS v3 Base Score: 5.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N) Solution TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions: TIBCO JasperReports Server versions 6.2.X update to version 6.2.4 or higher TIBCO JasperReports Server versions 6.3.X update to version 6.3.3 or higher TIBCO JasperReports Server version 6.4.0 update to version 6.4.2 or higher TIBCO JasperReports Server Community Edition versions 6.4.0 and below update to version 6.4.2 or higher TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.0 and below update to version 6.4.2 or higher TIBCO JasperReports Library versions 6.2.X update to version 6.2.4 or higher TIBCO JasperReports Library versions 6.3.X update to version 6.3.3 or higher TIBCO JasperReports Library versions 6.4.X update to version 6.4.2 or higher TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.X update to version 6.4.2 TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.0 and below update to version 6.4.2 or higher TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.0 and below update to version 6.4.2 or higher TIBCO Jaspersoft Studio versions 6.2.X update to version 6.2.4 TIBCO Jaspersoft Studio versions 6.3.X update to version 6.3.3 TIBCO Jaspersoft Studio version 6.4.0 update to version 6.4.2 TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 update to version 6.4.2 References http://www.tibco.com/services/support/advisories CVE: CVE-2017-5532