TIBCO Managed File Transfer reflected XSS vulerability

  Original release date: June 30, 2020
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Managed File Transfer Command Center versions 8.2.1 and below

  TIBCO Managed File Transfer Internet Server versions 8.2.1 and below

  The following component is affected:

    * MFT admin service


Description

  The component listed above contains a vulnerability that theoretically allows
  an authenticated user with specific permissions to obtain the session
  identifier of another user. The session identifier when replayed could provide
  administrative rights or file transfer permissions to the affected system.


Impact

  The impact of this vulnerability includes the possibility that an attacker
  could gain administrative control of the affected system.

  CVSS v3 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO Managed File Transfer Command Center versions 8.2.1 and below update
    to version 8.3.0 or higher

  TIBCO Managed File Transfer Internet Server versions 8.2.1 and below update
    to version 8.3.0 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2020-9414