CVE-2021-23272 - OpenCVE

The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.0 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.0 and below.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tibco	Bpm Enterprise Bpm Enterprise Distribution For Silver Fabric

Configuration 1 [-]

OR	cpe:2.3:a:tibco:bpm_enterprise::::::::
	cpe:2.3:a:tibco:bpm_enterprise_distribution_for_silver_fabric::::::::

No data.

References

Link	Providers
http://www.tibco.com/services/support/advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: tibco

Published: 2021-01-26T18:15:13.846513Z

Updated: 2024-09-16T17:38:34.192Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23272

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-01-26T19:15:13.080

Modified: 2023-11-07T03:30:50.770

Link: CVE-2021-23272

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TIBCO BPM Enterprise", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "4.3.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "4.3.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-01-26T00:00:00", "descriptions": [{"lang": "en", "value": "The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.0 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.0 and below."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Successful execution of this vulnerability can result in unauthorized read access, as well as unauthorized update, insert or delete access to a subset of AMX-BPM data on the affected system.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-26T18:15:13", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.tibco.com/services/support/advisories"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.0 and below update to version 4.3.1 or higher\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.0 and below update to version 4.3.1 or higher"}], "source": {"discovery": "USER"}, "title": "TIBCO BPM Cross Site Scripting (XSS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2021-01-26T17:00:00Z", "ID": "CVE-2021-23272", "STATE": "PUBLIC", "TITLE": "TIBCO BPM Cross Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO BPM Enterprise", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.3.0"}]}}, {"product_name": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.3.0"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.0 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.0 and below."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Successful execution of this vulnerability can result in unauthorized read access, as well as unauthorized update, insert or delete access to a subset of AMX-BPM data on the affected system."}]}]}, "references": {"reference_data": [{"name": "http://www.tibco.com/services/support/advisories", "refsource": "CONFIRM", "url": "http://www.tibco.com/services/support/advisories"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.0 and below update to version 4.3.1 or higher\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.0 and below update to version 4.3.1 or higher"}], "source": {"discovery": "USER"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.489Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.tibco.com/services/support/advisories"}]}]}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2021-23272", "datePublished": "2021-01-26T18:15:13.846513Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T17:38:34.192Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:bpm_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FB8FF05-E2A5-4E52-929A-75DD7D447741", "versionEndIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:bpm_enterprise_distribution_for_silver_fabric:*:*:*:*:*:*:*:*", "matchCriteriaId": "D32DBEE5-D35B-42FD-8820-EFDA3DE77346", "versionEndIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.0 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.0 and below."}, {"lang": "es", "value": "El componente Application Development Clients de TIBCO BPM Enterprise y TIBCO BPM Enterprise Distribution de TIBCO Software Inc. para TIBCO Silver Fabric contiene una vulnerabilidad que te\u00f3ricamente permite a un atacante con poco privilegiado con acceso a la red ejecutar un ataque de tipo Cross Site Scripting (XSS) en el sistema afectado. Las versiones afectadas son TIBCO BPM Enterprise de TIBCO Software Inc.: versiones 4.3.0 y anteriores y TIBCO BPM Enterprise Distribution para TIBCO Silver Fabric: versiones 4.3.0 y anteriores"}], "id": "CVE-2021-23272", "lastModified": "2023-11-07T03:30:50.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2021-01-26T19:15:13.080", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "http://www.tibco.com/services/support/advisories"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}