TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: May 1, 2018 - TIBCO DataSynapse GridServer - 2017-5536
TIBCO DataSynapse GridServer manager component vulnerable to cross-site scripting attacks
Original release date: May 1, 2018
Last revised: --
Source: TIBCO Software Inc.
- TIBCO DataSynapse GridServer Manager versions 5.1.3 and below
- TIBCO DataSynapse GridServer Manager versions 6.0.0, 6.0.1 and 6.0.2
- TIBCO DataSynapse GridServer Manager versions 6.1.0 and 6.1.1
- TIBCO DataSynapse GridServer Manager version 6.2.0
The following components are affected:
- GridServer Broker
- GridServer Director
The components listed above contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack.
The impact of this vulnerability includes the possibility that a malicious actor could gain access to a more privileged account on the affected components or the information managed by those components.
CVSS v3 Base Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)
TIBCO has released updated versions of the affected components which address these issues.
For each affected system, update to the corresponding software versions:
- TIBCO DataSynapse GridServer Manager versions 5.1.3 and below update to version 5.2.0 or higher
- TIBCO DataSynapse GridServer Manager versions 6.0.0, 6.0.1 and 6.0.2 update to version 6.3.0 or higher
- TIBCO DataSynapse GridServer Manager versions 6.1.0 and 6.1.1 update to version 6.3.0 or higher
- TIBCO DataSynapse GridServer Manager version 6.2.0 update to version 6.3.0 or higher