Search

Find a vulnerability

Search criteria

    3 vulnerabilities found for JasperReports Server by TIBCO

    VAR-202005-0877

    Vulnerability from variot - Updated: 2024-11-23 22:51

    The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below. (DoS) It may be put into a state. TIBCO Software JasperReports Server is an embeddable report server from TIBCO Software in the United States. It provides reporting and analysis functions that can be embedded in Web or mobile devices. An attacker could use this vulnerability to obtain the superuser privileges of JasperReports Server and execute arbitrary code

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202005-0877",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "retail order broker",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "15.0"
          },
          {
            "model": "retail order broker",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "16.0"
          },
          {
            "model": "jasperreports server",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "tibco",
            "version": "7.1.1"
          },
          {
            "model": "jasperreports server",
            "scope": null,
            "trust": 0.8,
            "vendor": "tibco",
            "version": null
          },
          {
            "model": "jasperreports server",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "tibco",
            "version": "for aws marketplace"
          },
          {
            "model": "jasperreports server for activematrix bpm",
            "scope": null,
            "trust": 0.8,
            "vendor": "tibco",
            "version": null
          },
          {
            "model": "software tibco jasperreports server",
            "scope": "lte",
            "trust": 0.6,
            "vendor": "tibco",
            "version": "\u003c=7.1.1"
          },
          {
            "model": "software tibco jasperreports server for aws marketplace",
            "scope": "lte",
            "trust": 0.6,
            "vendor": "tibco",
            "version": "\u003c=7.1.1"
          },
          {
            "model": "software tibco jasperreports server for activematrix bpm",
            "scope": "lte",
            "trust": 0.6,
            "vendor": "tibco",
            "version": "\u003c=7.1.1"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:tibco:jasperreports_server",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/a:tibco:jasperreports_server_for_activematrix_bpm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          }
        ]
      },
      "cve": "CVE-2020-9409",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-9409",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.0,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "NVD",
                "availabilityImpact": "Complete",
                "baseScore": 10.0,
                "confidentialityImpact": "Complete",
                "exploitabilityScore": null,
                "id": "JVNDB-2020-005643",
                "impactScore": null,
                "integrityImpact": "Complete",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "High",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2020-34447",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-9409",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2020-005643",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-9409",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "security@tibco.com",
                "id": "CVE-2020-9409",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "JVNDB-2020-005643",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2020-34447",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202005-1084",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "The administrative UI component of TIBCO Software Inc.\u0027s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server \"superuser\" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.\u0027s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below. (DoS) It may be put into a state. TIBCO Software JasperReports Server is an embeddable report server from TIBCO Software in the United States. It provides reporting and analysis functions that can be embedded in Web or mobile devices. An attacker could use this vulnerability to obtain the superuser privileges of JasperReports Server and execute arbitrary code",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          }
        ],
        "trust": 2.16
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-9409",
            "trust": 3.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643",
            "trust": 0.8
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "id": "VAR-202005-0877",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          }
        ],
        "trust": 1.6
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          }
        ]
      },
      "last_update_date": "2024-11-23T22:51:21.527000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Security Advisories",
            "trust": 0.8,
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "title": "TIBCO Security Advisory: May 19, 2020 - TIBCO JasperReports Server",
            "trust": 0.8,
            "url": "https://www.tibco.com/support/advisories/2020/05/tibco-security-advisory-may-19-2020-tibco-jasperreports-server"
          },
          {
            "title": "Patch for TIBCO Software TIBCO JasperReports Server privilege elevation vulnerability",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/222915"
          },
          {
            "title": "TIBCO Software TIBCO JasperReports Server Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119146"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-276",
            "trust": 1.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9409"
          },
          {
            "trust": 1.6,
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "trust": 1.6,
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9409"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-06-23T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "date": "2020-06-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "date": "2020-05-20T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "date": "2020-05-20T13:15:10.317000",
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-06-23T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2020-34447"
          },
          {
            "date": "2020-06-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          },
          {
            "date": "2020-10-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          },
          {
            "date": "2024-11-21T05:40:35.017000",
            "db": "NVD",
            "id": "CVE-2020-9409"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural  TIBCO JasperReports Server Inappropriate default permissions in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-005643"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202005-1084"
          }
        ],
        "trust": 0.6
      }
    }

    CVE-2024-3323 (GCVE-0-2024-3323)

    Vulnerability from nvd – Published: 2024-04-17 18:53 – Updated: 2024-08-01 20:05
    VLAI
    Title
    Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Cross Site Scripting in UI Request/Response Validation in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user's active session cookie via sending malicious link, enticing the user to interact.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    TIBCO JasperReports Server Affected: 8.0 , < 8.0.4 (Hotfix)
    Affected: 8.2 , < 8.2.0 (Hotfix)
    Create a notification for this product.
    tibco jasperreports_server Affected: 8.0.4
        cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*
    Create a notification for this product.
    tibco jasperreports_server Affected: 8.2.0
        cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-04-09 16:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jasperreports_server",
                "vendor": "tibco",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.4"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jasperreports_server",
                "vendor": "tibco",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T21:35:25.685169Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:11.990Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "UI Request/Response Validation"
              ],
              "product": "JasperReports Server",
              "vendor": "TIBCO",
              "versions": [
                {
                  "lessThan": "8.0.4",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "Hotfix"
                },
                {
                  "lessThan": "8.2.0",
                  "status": "affected",
                  "version": "8.2",
                  "versionType": "Hotfix"
                }
              ]
            }
          ],
          "datePublic": "2024-04-09T16:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross Site Scripting in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUI Request/Response Validation\u003c/span\u003e\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u0026nbsp;via sending malicious link, enticing the user to interact."
                }
              ],
              "value": "Cross Site Scripting in \n\nUI Request/Response Validation\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u00a0via sending malicious link, enticing the user to interact."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-17T18:53:21.348Z",
            "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
            "shortName": "tibco"
          },
          "references": [
            {
              "url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "assignerShortName": "tibco",
        "cveId": "CVE-2024-3323",
        "datePublished": "2024-04-17T18:53:21.348Z",
        "dateReserved": "2024-04-04T17:01:23.280Z",
        "dateUpdated": "2024-08-01T20:05:08.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3323 (GCVE-0-2024-3323)

    Vulnerability from cvelistv5 – Published: 2024-04-17 18:53 – Updated: 2024-08-01 20:05
    VLAI
    Title
    Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Cross Site Scripting in UI Request/Response Validation in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user's active session cookie via sending malicious link, enticing the user to interact.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    TIBCO JasperReports Server Affected: 8.0 , < 8.0.4 (Hotfix)
    Affected: 8.2 , < 8.2.0 (Hotfix)
    Create a notification for this product.
    tibco jasperreports_server Affected: 8.0.4
        cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*
    Create a notification for this product.
    tibco jasperreports_server Affected: 8.2.0
        cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-04-09 16:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jasperreports_server",
                "vendor": "tibco",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.4"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jasperreports_server",
                "vendor": "tibco",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T21:35:25.685169Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:11.990Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "UI Request/Response Validation"
              ],
              "product": "JasperReports Server",
              "vendor": "TIBCO",
              "versions": [
                {
                  "lessThan": "8.0.4",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "Hotfix"
                },
                {
                  "lessThan": "8.2.0",
                  "status": "affected",
                  "version": "8.2",
                  "versionType": "Hotfix"
                }
              ]
            }
          ],
          "datePublic": "2024-04-09T16:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross Site Scripting in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUI Request/Response Validation\u003c/span\u003e\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u0026nbsp;via sending malicious link, enticing the user to interact."
                }
              ],
              "value": "Cross Site Scripting in \n\nUI Request/Response Validation\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user\u0027s active session cookie\u00a0via sending malicious link, enticing the user to interact."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-17T18:53:21.348Z",
            "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
            "shortName": "tibco"
          },
          "references": [
            {
              "url": "https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "assignerShortName": "tibco",
        "cveId": "CVE-2024-3323",
        "datePublished": "2024-04-17T18:53:21.348Z",
        "dateReserved": "2024-04-04T17:01:23.280Z",
        "dateUpdated": "2024-08-01T20:05:08.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }