TIBCO WebFOCUS Cross Site Scripting vulnerabilities

  Original release date: September 14, 2021
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO WebFOCUS Client versions 8207.27.0 and below

  TIBCO WebFOCUS Installer versions 8207.27.0 and below

  TIBCO WebFOCUS Reporting Server versions 8207.27.0 and below

  The following components are affected:

    * WebFOCUS Reporting Server
    * WebFOCUS Client


Description

  The components listed above contain easily exploitable Stored and Reflected
  Cross Site Scripting (XSS) vulnerabilities that allow a low privileged
  attacker to social engineer a legitimate user with network access to execute
  scripts targeting the affected system or the victim's local system. A
  successful attack using this vulnerability requires human interaction from a
  person other than the attacker.


Impact

  In the worst case, if the victim is a privileged administrator, successful
  execution of these vulnerabilities can result in an attacker gaining full
  administrative access to the affected system or the victim's local system.

  CVSS v3 Base Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO WebFOCUS Client versions 8207.27.0 and below update to version
    8207.28.0 or later

  TIBCO WebFOCUS Installer versions 8207.27.0 and below update to version
    8207.28.0 or later

  TIBCO WebFOCUS Reporting Server versions 8207.27.0 and below update to
    version 8207.28.0 or later


References

  https://www.tibco.com/services/support/advisories
  CVE-2021-35493