| Summary: | CVE-2017-2674 business-central: Multiple stored XSS in task and process filters | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alazarot, etirelli, jcoleman, kverlaen, lpetrovi, mbaluch, mwinkler, nwallace, pavelp, rrajasek, rzhang, security-response-team, tkirby |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | BPMS 6.4.3, BRMS 6.4.3 | Doc Type: | Bug Fix |
| Doc Text: |
JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-10 00:30:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1438631, 1439826, 1447756 | ||
|
Description
Adam Mariš
2017-04-06 15:02:46 UTC
Acknowledgments: Name: Chris Hebert, Vikas Pandey, Harold Schliesske, Ryan Stanley (Noblis) This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.4.3 Via RHSA-2017:1218 https://access.redhat.com/errata/RHSA-2017:1218 This issue has been addressed in the following products: Red Hat JBoss BRMS 6.4.3 Via RHSA-2017:1217 https://access.redhat.com/errata/RHSA-2017:1217 |