Back to bug 1386806
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Pavel Polischouk | 2016-10-19 16:21:29 UTC | CC | security-response-team | |
| Pavel Polischouk | 2016-10-19 16:21:44 UTC | Blocks | 1386746 | |
| Pavel Polischouk | 2016-10-19 16:26:18 UTC | CC | kgaevski | |
| Pavel Polischouk | 2016-11-03 18:06:47 UTC | Doc Text | JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| Pavel Polischouk | 2016-11-03 18:14:28 UTC | Doc Text | JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. | JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. |
| Pavel Polischouk | 2016-11-03 18:56:26 UTC | Blocks | 1391689 | |
| Eric Christensen | 2016-11-07 20:21:15 UTC | Doc Text | JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. | JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. |
| Pavel Polischouk | 2016-11-28 17:28:53 UTC | Whiteboard | impact=moderate,public=no,reported=20161019,source=redhat,cvss2=5.5/AV:N/AC:L/Au:S/C:P/I:P/A:N,cvss3=5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N,cwe=CWE-79,bpms-6/process-editor=affected,brms-6/process-editor=affected | impact=moderate,public=20161128,reported=20161019,source=redhat,cvss2=5.5/AV:N/AC:L/Au:S/C:P/I:P/A:N,cvss3=5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N,cwe=CWE-79,bpms-6/process-editor=affected,brms-6/process-editor=affected |
| Pavel Polischouk | 2016-11-28 17:28:57 UTC | Summary | EMBARGOED CVE-2016-8608 Stored XSS in business process editor | CVE-2016-8608 Stored XSS in business process editor |
| Pavel Polischouk | 2016-11-28 17:29:01 UTC | Group | security, qe_staff | |
| Pavel Polischouk | 2017-01-12 19:24:58 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-01-12 14:24:58 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:58:49 UTC | Whiteboard | impact=moderate,public=20161128,reported=20161019,source=redhat,cvss2=5.5/AV:N/AC:L/Au:S/C:P/I:P/A:N,cvss3=5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N,cwe=CWE-79,bpms-6/process-editor=affected,brms-6/process-editor=affected |
Back to bug 1386806