Bug 1048380 (CVE-2013-6465)

Summary: CVE-2013-6465 JBPM KIE Workbench: Multiple stored XSS issues
Product: [Other] Security Response Reporter: Pavel Polischouk <pavelp>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: djorm, security-response-team, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-07 00:39:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1049109    
Bug Blocks: 1046169    

Description Pavel Polischouk 2014-01-03 21:05:55 UTC 
Gregory Draperi reports:

A cross-site scripting flaw has been reported in jBPM. The flaw allows remote authenticated attackers to store arbitrary script code in certain jBPM workbench fields, the script could be executed later in the context of other users while browsing through several workbench pages.
Comment 1 David Jorm 2014-01-06 03:42:15 UTC 
Acknowledgements:

Red Hat would like to thank Grégory DRAPERI for reporting this issue.
Comment 2 David Jorm 2014-02-06 00:32:12 UTC 
Upstream patch commit:

https://github.com/droolsjbpm/jbpm-console-ng/commit/4818204506e8e94645b52adb9426bedfa9ffdd04
Comment 3 Pavel Polischouk 2014-02-07 00:31:27 UTC 
Statement:

This issue does not affect jBPM KIE Workbench as shipped with Red Hat JBoss BPM Suite 6.0.0. It may affect earlier versions of the upstream jBPM Console NG project.