Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1358523 - (CVE-2016-5398) CVE-2016-5398 stored XSS in JBoss BPM suite business process editor
CVE-2016-5398 stored XSS in JBoss BPM suite business process editor
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160928,repor...
: Security
Depends On:
Blocks: 1355940
  Show dependency treegraph
 
Reported: 2016-07-20 17:56 EDT by Pavel Polischouk
Modified: 2016-10-18 15:53 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A security flaw was found in the way Business Process Editor displays the business process details to the user. A remote authenticated attacker with privilege to create business processes could use this flaw to conduct stored XSS attacks against other users.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-18 15:53:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1968 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS security update 2016-09-28 22:29:13 EDT
Red Hat Product Errata RHSA-2016:1969 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security update 2016-09-28 22:26:00 EDT

  None (edit)
Description Pavel Polischouk 2016-07-20 17:56:34 EDT
JBoss BPM Suite 6.3.0 is vulnerable to a stored XSS via business process
editor. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.
Comment 1 Pavel Polischouk 2016-07-20 17:56:40 EDT
Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security Team)
Comment 5 errata-xmlrpc 2016-09-28 18:32:42 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3.3

Via RHSA-2016:1969 https://rhn.redhat.com/errata/RHSA-2016-1969.html
Comment 6 errata-xmlrpc 2016-09-28 18:32:50 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3.3

Via RHSA-2016:1968 https://rhn.redhat.com/errata/RHSA-2016-1968.html

Note You need to log in before you can comment on or make changes to this bug.