TIBCO EBX Add-on For Data Exchange Cross-Site Scripting Vulnerabilities

  Original release date: November 12, 2019
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO EBX Add-ons versions 3.20.13 and below

  TIBCO EBX Add-ons version 4.1.0

  The following component is affected:

    * Data Exchange Web Interface


Description

  The component listed above contains a vulnerability that theoretically allows
  authenticated users to perform stored cross-site scripting (XSS) attacks.


Impact

  The impact of this vulnerability includes the theoretical possibility that an
  attacker could gain full administrative access to the web interface of the
  affected component.

  CVSS v3 Base Score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO EBX Add-ons versions 3.20.13 and below update to version 3.20.14 or
    higher

  TIBCO EBX Add-ons version 4.1.0 update to version 4.2.0 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2019-17331