CVE-2019-17331 (GCVE-0-2019-17331)

Vulnerability from cvelistv5 – Published: 2019-11-12 19:15 – Updated: 2024-09-17 00:11
VLAI?
Title
TIBCO EBX Add-on For Data Exchange Cross-Site Scripting Vulnerabilities
Summary
The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.
Severity ?
7.3 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE
  • The impact of this vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component.
Assigner
References
Impacted products
Vendor Product Version
TIBCO Software Inc. TIBCO EBX Add-ons Affected: unspecified , ≤ 3.20.13 (custom)
Affected: 4.1.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:40:14.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO EBX Add-ons",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "3.20.13",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "4.1.0"
            }
          ]
        }
      ],
      "datePublic": "2019-11-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Data Exchange Web Interface component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The impact of this vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-12T19:15:56",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.tibco.com/services/support/advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 3.20.13 and below update to version 3.20.14 or higher\nTIBCO EBX Add-ons version 4.1.0 update to version 4.2.0 or higher"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TIBCO EBX Add-on For Data Exchange Cross-Site Scripting Vulnerabilities",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2019-11-12T17:00:00.000Z",
          "ID": "CVE-2019-17331",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO EBX Add-on For Data Exchange Cross-Site Scripting Vulnerabilities"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO EBX Add-ons",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.20.13"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "4.1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Data Exchange Web Interface component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The impact of this vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.tibco.com/services/support/advisories",
              "refsource": "MISC",
              "url": "http://www.tibco.com/services/support/advisories"
            },
            {
              "name": "https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331",
              "refsource": "MISC",
              "url": "https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX Add-ons versions 3.20.13 and below update to version 3.20.14 or higher\nTIBCO EBX Add-ons version 4.1.0 update to version 4.2.0 or higher"
          }
        ],
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2019-17331",
    "datePublished": "2019-11-12T19:15:56.812820Z",
    "dateReserved": "2019-10-07T00:00:00",
    "dateUpdated": "2024-09-17T00:11:11.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tibco:ebx_add-ons:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.20.13\", \"matchCriteriaId\": \"29151D10-336D-4620-BC76-734452A7DD76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tibco:ebx_add-ons:4.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FB945CC7-B8DB-4954-99CF-5AA3F795556C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Data Exchange Web Interface component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.\"}, {\"lang\": \"es\", \"value\": \"El componente Data Exchange Web Interface de los Add-ons TIBCO EBX de TIBCO Software Inc. contiene una vulnerabilidad que te\\u00f3ricamente permite a usuarios autenticados realizar ataques de tipo cross-site scripting (XSS) almacenados. Las versiones afectadas son los Add-ons TIBCO EBX de TIBCO Software Inc.: versiones hasta 3.20.13 incluy\\u00e9ndola, versi\\u00f3n 4.1.0.\"}]",
      "id": "CVE-2019-17331",
      "lastModified": "2024-11-21T04:32:06.153",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV30\": [{\"source\": \"security@tibco.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-11-12T20:15:12.167",
      "references": "[{\"url\": \"http://www.tibco.com/services/support/advisories\", \"source\": \"security@tibco.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331\", \"source\": \"security@tibco.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.tibco.com/services/support/advisories\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@tibco.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-17331\",\"sourceIdentifier\":\"security@tibco.com\",\"published\":\"2019-11-12T20:15:12.167\",\"lastModified\":\"2024-11-21T04:32:06.153\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Data Exchange Web Interface component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.\"},{\"lang\":\"es\",\"value\":\"El componente Data Exchange Web Interface de los Add-ons TIBCO EBX de TIBCO Software Inc. contiene una vulnerabilidad que te\u00f3ricamente permite a usuarios autenticados realizar ataques de tipo cross-site scripting (XSS) almacenados. Las versiones afectadas son los Add-ons TIBCO EBX de TIBCO Software Inc.: versiones hasta 3.20.13 incluy\u00e9ndola, versi\u00f3n 4.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV30\":[{\"source\":\"security@tibco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tibco:ebx_add-ons:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.20.13\",\"matchCriteriaId\":\"29151D10-336D-4620-BC76-734452A7DD76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tibco:ebx_add-ons:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB945CC7-B8DB-4954-99CF-5AA3F795556C\"}]}]}],\"references\":[{\"url\":\"http://www.tibco.com/services/support/advisories\",\"source\":\"security@tibco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331\",\"source\":\"security@tibco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.tibco.com/services/support/advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.tibco.com/support/advisories/2019/11/tibco-security-advisory-november-12-2019-tibco-ebx-add-on-2019-17331\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.