Vulnerability Description
JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Bpm Suite | >= 6.0.0, < 6.4.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/98390Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1217Broken LinkVendor Advisory
- https://access.redhat.com/errata/RHSA-2017:1218Broken LinkVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2674Issue TrackingVendor Advisory
- http://www.securityfocus.com/bid/98390Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1217Broken LinkVendor Advisory
- https://access.redhat.com/errata/RHSA-2017:1218Broken LinkVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2674Issue TrackingVendor Advisory
FAQ
What is CVE-2017-2674?
CVE-2017-2674 is a vulnerability with a CVSS score of 6.1 (MEDIUM). JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, aut...
How severe is CVE-2017-2674?
CVE-2017-2674 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2674?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Bpm Suite.