CVE-2017-2674

Impact:
Moderate
Public Date:
2017-02-10
CWE:
CWE-20
Bugzilla:
1439819: CVE-2017-2674 business-central: Multiple stored XSS in task and process filters
JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Find out more about CVE-2017-2674 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 6.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss BRMS 6.4 RHSA-2017:1217 2017-05-09
Red Hat JBoss BPMS 6.4 RHSA-2017:1218 2017-05-09

Acknowledgements

Red Hat would like to thank Chris Hebert, Vikas Pandey, Harold Schliesske, and Ryan Stanley (Noblis) for reporting this issue.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.