{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-09-28T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-10-03T17:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "93219", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93219"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1358523"}, {"name": "RHSA-2016:1969", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1969.html"}, {"name": "RHSA-2016:1968", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1968.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:00:59.957Z"}, "title": "CVE Program Container", "references": [{"name": "93219", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/93219"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1358523"}, {"name": "RHSA-2016:1969", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1969.html"}, {"name": "RHSA-2016:1968", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1968.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-5398", "datePublished": "2016-10-03T18:00:00", "dateReserved": "2016-06-10T00:00:00", "dateUpdated": "2024-08-06T01:00:59.957Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_bpm_suite:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DC83704-41A4-4FB1-B459-55812F67629E", "versionEndIncluding": "6.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes."}, {"lang": "es", "value": "Vulnerabilidad de XSS en Business Process Editor en Red Hat JBoss BPM Suite en versiones anteriores a 6.3.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios apalancando los permisos para crear procesos de negocio."}], "id": "CVE-2016-5398", "lastModified": "2016-10-04T15:15:37.883", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-10-03T18:59:06.347", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1968.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1969.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/93219"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "VDB Entry", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1358523"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Jeremy Choi (Red Hat Product Security Team).", "affected_release": [{"advisory": "RHSA-2016:1969", "cpe": "cpe:/a:redhat:jboss_bpms:6.3", "product_name": "Red Hat JBoss BPMS 6.3", "release_date": "2016-09-28T00:00:00Z"}, {"advisory": "RHSA-2016:1968", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.3", "product_name": "Red Hat JBoss BRMS 6.3", "release_date": "2016-09-28T00:00:00Z"}], "bugzilla": {"description": "stored XSS in JBoss BPM suite business process editor", "id": "1358523", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1358523"}, "csaw": false, "cvss": {"cvss_base_score": "5.5", "cvss_scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes.", "A security flaw was found in the way Business Process Editor displays the business process details to the user. A remote authenticated attacker with privilege to create business processes could use this flaw to conduct stored XSS attacks against other users."], "name": "CVE-2016-5398", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Affected", "package_name": "business-central", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Affected", "package_name": "business-central", "product_name": "Red Hat JBoss BRMS 6"}], "public_date": "2016-09-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-5398\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5398"], "threat_severity": "Moderate"}