TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: September 14, 2021 - TIBCO WebFOCUS - 2021-35493
- TIBCO WebFOCUS Client versions 8207.27.0 and below
- TIBCO WebFOCUS Installer versions 8207.27.0 and below
- TIBCO WebFOCUS Reporting Server versions 8207.27.0 and below
The following components are affected:
- WebFOCUS Reporting Server
- WebFOCUS Client
The components listed above contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker.
In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system or the victim's local system.
CVSS v3 Base Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
TIBCO has released updated versions of the affected systems which address this issue:
- TIBCO WebFOCUS Client versions 8207.27.0 and below update to version 8207.28.0 or later
- TIBCO WebFOCUS Installer versions 8207.27.0 and below update to version 8207.28.0 or later
- TIBCO WebFOCUS Reporting Server versions 8207.27.0 and below update to version 8207.28.0 or later