TIBCO JasperReports persistent cross site scripting

  Original release date: November 15, 2017
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO JasperReports Server versions 6.2.3 and below
  TIBCO JasperReports Server versions 6.3.0, 6.3.1, and 6.3.2
  TIBCO JasperReports Server version 6.4.0

  TIBCO JasperReports Server Community Edition versions 6.4.0 and below

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.0 and below

  TIBCO JasperReports Library versions 6.2.3 and below
  TIBCO JasperReports Library versions 6.3.0, 6.3.1, and 6.3.2
  TIBCO JasperReports Library versions 6.4.0, and 6.4.1

  TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.1 and below

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.0 and below
  
  TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.0 and below

  TIBCO Jaspersoft Studio versions 6.2.3 and below
  TIBCO Jaspersoft Studio versions 6.3.0, 6.3.1, and 6.3.2
  TIBCO Jaspersoft Studio version 6.4.0
 
  TIBCO Jaspersoft Studio for ActiveMatrix BPM versions 6.4.0 and below

  The following components are affected:
  
    * report renderer


Description

  The JasperReports components listed above contain a vulnerability which
  may allow a subset of authorized users to perform persistent cross-site
  scripting (XSS) attacks.
 
 
Impact

  The impact of this vulnerability includes the possibility that a malicious
  user can gain access to a more privileged account.

  CVSS v3 Base Score: 5.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO JasperReports Server versions 6.2.X update to
    version 6.2.4 or higher
  TIBCO JasperReports Server versions 6.3.X update to
    version 6.3.3 or higher
  TIBCO JasperReports Server version 6.4.0 update to
    version 6.4.2 or higher

  TIBCO JasperReports Server Community Edition versions 6.4.0 and below
    update to version 6.4.2 or higher

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.0 and below
    update to version 6.4.2 or higher

  TIBCO JasperReports Library versions 6.2.X update to version 6.2.4 or higher
  TIBCO JasperReports Library versions 6.3.X update to version 6.3.3 or higher
  TIBCO JasperReports Library versions 6.4.X update to version 6.4.2 or higher

  TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.X update to
    version 6.4.2

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.0 and below
    update to version 6.4.2 or higher
  
  TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.0 and below
    update to version 6.4.2 or higher

  TIBCO Jaspersoft Studio versions 6.2.X update to version 6.2.4
  TIBCO Jaspersoft Studio versions 6.3.X update to version 6.3.3
  TIBCO Jaspersoft Studio version 6.4.0 update to version 6.4.2
   
  TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 update to version 6.4.2


References

  http://www.tibco.com/services/support/advisories
  CVE: CVE-2017-5532