Vulnerability Details : CVE-2017-5528
Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2017-5528
- cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*
- cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:community:*:*:*
- cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:jasperreports_server:6.2.0:*:*:*:-:-:*:*
- cpe:2.3:a:tibco:jasperreports_server:6.2.1:*:*:*:-:-:*:*
- cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:-:-:*:*
- cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*
- cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5528
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5528
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
5.7
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
2.1
|
3.6
|
TIBCO Software Inc. | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-5528
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5528
-
https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017
TIBCO Security Advisory: June 28, 2017 - TIBCO JasperReports Server - 2017-5528 | TIBCO SoftwareVendor Advisory
Jump to