TIBCO PartnerExpress Session Token in URL
Original release date: November 16, 2021
Source: TIBCO SoftwareInc.
TIBCO PartnerExpress versions 6.2.1 and below
The following components are affected:
* Interior Server
* Gateway Server
The components listed above contain an easily exploitable vulnerability that
allows an unauthenticated attacker with network access to obtain session
tokens for the affected system. A successful attack using this vulnerability
requires human interaction from a person other than the attacker.
In the worst case, if the victim is a privileged administrator, successful
execution of this vulnerability can result in an attacker gaining full
administrative access to the affected system.
CVSS v3 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
TIBCO has released updated versions of the affected systems which address this
TIBCO PartnerExpress versions 6.2.1 and below update to version 6.2.2 or