Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 1371801 - (CVE-2016-6343) CVE-2016-6343 Dashbuilder: Reflected XSS
CVE-2016-6343 Dashbuilder: Reflected XSS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170316,repor...
: Reopened, Security
Depends On: 1469738 1469739
Blocks: 1372094 1372135 1429673 1521173
  Show dependency treegraph
 
Reported: 2016-08-31 03:10 EDT by Jeremy Choi
Modified: 2018-08-07 11:16 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-08-07 11:16:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0557 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security update 2017-03-16 21:09:43 EDT
Red Hat Product Errata RHSA-2018:0296 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.4 security update 2018-02-13 15:48:28 EST

  None (edit)
Description Jeremy Choi 2016-08-31 03:10:59 EDT
JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.
Comment 1 Jeremy Choi 2016-08-31 03:11:09 EDT
Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security Team)
Comment 3 David Gutierrez 2016-12-30 12:39:09 EST
Hi @Jeremy, 

I'm not sure if I get what's the issue here. Can you please elaborate a bit more, and also give a detailed reproducer.

Thanks in advance.
Comment 5 errata-xmlrpc 2017-03-16 17:09:58 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.4.2

Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html
Comment 8 errata-xmlrpc 2018-02-13 10:48:40 EST
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296

Note You need to log in before you can comment on or make changes to this bug.