TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: January 26, 2021 - TIBCO BPM Enterprise
TIBCO BPM Cross Site Scripting (XSS)
Original release date: January 26, 2021
Source: TIBCO Software Inc.
- TIBCO BPM Enterprise versions 4.3.0 and below
- TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.0 and below
The following component is affected:
- Application Development Clients
The component listed above contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system.
Successful execution of this vulnerability can result in unauthorized read access, as well as unauthorized update, insert or delete access to a subset of AMX-BPM data on the affected system.
CVSS v3 Base Score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
TIBCO has released updated versions of the affected systems which address this issue:
- TIBCO BPM Enterprise versions 4.3.0 and below update to version 4.3.1 or higher
- TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.0 and below update to version 4.3.1 or higher