CVE-2020-9410 in Tibco and Oracle Products
Published on May 20, 2020

TIBCO JasperReports Library

The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.

NVD

Vulnerability Analysis

CVE-2020-9410 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Products Associated with CVE-2020-9410

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-9410 are published in these products:

Tibco Jasperreports Library

Tibco Jasperreports Server

Oracle Retail Order Broker

Affected Versions

TIBCO Software Inc. TIBCO JasperReports Library:

Version unspecified, <= 7.1.1 is affected.
Version 7.2.0 is affected.
Version 7.2.1 is affected.
Version 7.3.0 is affected.
Version 7.5.0 is affected.

TIBCO Software Inc. TIBCO JasperReports Library for ActiveMatrix BPM:

Version unspecified, <= 7.1.1 is affected.

TIBCO Software Inc. TIBCO JasperReports Server:

Version unspecified, <= 7.1.1 is affected.
Version 7.2.0 is affected.
Version 7.5.0 is affected.

TIBCO Software Inc. TIBCO JasperReports Server for AWS Marketplace:

Version unspecified, <= 7.5.0 is affected.

TIBCO Software Inc. TIBCO JasperReports Server for ActiveMatrix BPM:

Version unspecified, <= 7.1.1 is affected.

Exploit Probability

EPSS

1.10%

Percentile

77.77%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2020-9410 in Tibco and Oracle ProductsPublished on May 20, 2020

Vulnerability Analysis

Products Associated with CVE-2020-9410

Affected Versions

Exploit Probability

CVE-2020-9410 in Tibco and Oracle Products
Published on May 20, 2020