TIBCO Spotfire Server Library Vulnerable to Reflected Cross-Site Scripting

  Original release date: December 17, 2019
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0

  TIBCO Spotfire Server versions 7.11.7 and below
  TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
    10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4
  TIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0

  The following component is affected:

    * Spotfire library


Description

  The component listed above contains a vulnerability that theoretically allows
  an attacker to perform a reflected cross-site scripting (XSS) attack.


Impact

  The impact of the vulnerability includes the theoretical possibility that an
  attacker could gain full administrative access to the web interface of the
  affected component.

  CVSS v3 Base Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update
    to version 10.6.1 or higher

  TIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or
    higher
  TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
    10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to
    version 10.3.5 or higher
  TIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version
    10.6.1 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2019-17337