CVE-2017-2674 — Improper Input Validation in Redhat Jboss BPM Suite

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting8 documents5 sources

Severity

5.4MEDIUMNVD

CNA6.1

EPSS

0.2%

top 60.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss BPM Suite RED HAT Business-central

Timeline

PublishedJul 27

Latest updateMay 13

Description

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDredhat/jboss_bpm_suite6.0.0 — 6.4.3

▶CVEListV5red_hat/business-central6.4.3

🔴Vulnerability Details

GHSA

GHSA-5xrw-c22r-9h93: JBoss BRMS 6 and BPM Suite 6 before 6↗2022-05-13

▶

CVEList

CVE-2017-2674: JBoss BRMS 6 and BPM Suite 6 before 6↗2018-07-27

▶

📋Vendor Advisories

Red Hat

business-central: Multiple stored XSS in task and process filters↗2017-02-10

▶

💬Community

Bugzilla

CVE-2017-7554 RHMAP: Stored XSS in App Store↗2017-08-07

▶

Bugzilla

CVE-2017-7553 RHMAP: SSRF via external_request feature of App Studio↗2017-08-07

▶

Bugzilla

CVE-2017-7552 RHMAP Millicore IDE allows RCE on SCM↗2017-08-03

▶

Bugzilla

CVE-2017-2674 business-central: Multiple stored XSS in task and process filters↗2017-04-06

▶