CVE-2023-29268 — Unrestricted File Upload in Spotfire Statistics Services

CWE-434 — Unrestricted File Upload2 documents2 sources

Severity

9.8CRITICALNVD

EPSS

1.7%

top 17.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tibco Spotfire Statistics Services Tibco Software INC Tibco Spotfire Statistics Services

Timeline

PublishedApr 26

Description

The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5tibco_software_inc/tibco_spotfire_statistics_services11.4.10+12

▶NVDtibco/spotfire_statistics_services< 11.4.11+12

🔴Vulnerability Details

GHSA

GHSA-fvhq-8h67-c2h8: The Splus Server component of TIBCO Software Inc↗2023-04-26

▶