TIBCO Statistica Stored Cross Site Scripting (XSS) Vulnerability

  Original release date: August 16, 2022
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO Data Science - Workbench versions 14.0.0 and below

  TIBCO Statistica versions 14.0.0 and below

  TIBCO Statistica - Estore Edition versions 14.0.0 and below

  TIBCO Statistica Trial versions 14.0.0 and below

  The following component is affected:

    * Web Console


Description

  The component listed above contains an easily exploitable vulnerability that
  allows a low privileged attacker with network access to execute Stored Cross
  Site Scripting (XSS) on the affected system. A successful attack using this
  vulnerability requires human interaction from a person other than the
  attacker.


Impact

  Successful execution of these vulnerabilities will result in an attacker being
  able to execute commands with the privileges of the affected user.

  CVSS v3.1 Base Score: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO Data Science - Workbench versions 14.0.0 and below: update to version
    14.0.1 or later

  TIBCO Statistica versions 14.0.0 and below: update to version 14.0.1 or
    later

  TIBCO Statistica - Estore Edition versions 14.0.0 and below: update to
    version 14.0.1 or later

  TIBCO Statistica Trial versions 14.0.0 and below: update to version 14.0.1
    or later


References

  https://www.tibco.com/services/support/advisories
  CVE-2022-30576