TIBCO JasperReports Server Reflected Cross Site Scripting (XSS) vulnerability
Original release date: April 9, 2024
Last revised: ---
CVE-2024-3323
Source: TIBCO Software Inc.
Product(s) Affected
- TIBCO JasperReports Server versions 8.0.4 and below
- TIBCO JasperReports Server versions 8.2.0 and below
Component Affected:
UI Request/Response Validation
Description
The component listed above contains a vulnerability which allows for the injection of malicious executable scripts into the code of a trusted application. A common attack vector for this vulnerability involves the sending of a malicious link, enticing the user to interact. If the application lacks proper data sanitization, the malicious link can execute the chosen code on the affected system which could steal the user's active session cookie.
Impact
If an affected user is a privileged administrator, successful execution of this vulnerability can result in an attacker gaining full administrative access to the affected system.
CVSS v3 Base Score: 8.3 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Solution
- TIBCO JasperReports Server below 8.0.4 to be upgraded to 8.0.4 with latest hotfix
- TIBCO JasperReports Server below 8.2.0 to be upgraded to 8.2.0 with latest hotfix
References
https://community.tibco.com/advisories
CVE-2024-3323