JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.
Acknowledgments: Name: Jeremy Choi (Red Hat Product Security Team)
Hi @Jeremy, I'm not sure if I get what's the issue here. Can you please elaborate a bit more, and also give a detailed reproducer. Thanks in advance.
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.4.2 Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296