TIBCO PartnerExpress Click-Jacking vulnerability

  Original release date: November 16, 2021
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO PartnerExpress versions 6.2.1 and below

  The following components are affected:

    * Interior Server
    * Gateway Server


Description

  The components listed above contain a vulnerability that theoretically allows
  an unauthenticated attacker with network access to execute a clickjacking
  attack on the affected system. A successful attack using this vulnerability
  does not require human interaction from a person other than the attacker.


Impact

  The impact of this vulnerability includes the theoretical possibility that an
  attacker gains full administrative access to the affected system.

  CVSS v3 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO PartnerExpress versions 6.2.1 and below update to version 6.2.2 or
    later


References

  https://www.tibco.com/services/support/advisories
  CVE-2021-43048