CVE-2018-18813 - OpenCVE

The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tibco	Spotfire Analytics Platform For Aws Spotfire Server

Configuration 1 [-]

OR	cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws::::::::
	cpe:2.3:a:tibco:spotfire_server::::::::
	cpe:2.3:a:tibco:spotfire_server:7.11.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:7.11.1:::::::*
	cpe:2.3:a:tibco:spotfire_server:7.12.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:7.13.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:7.14.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:10.0.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/106635	Third Party Advisory VDB Entry
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: tibco

Published: 2019-01-16T00:00:00

Updated: 2019-01-17T10:57:01

Reserved: 2018-10-29T00:00:00

Link: CVE-2018-18813

JSON object: View

NVD Information

Status : Modified

Published: 2019-01-16T22:29:00.310

Modified: 2019-10-09T23:37:26.803

Link: CVE-2018-18813

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "TIBCO Spotfire Analytics Platform for AWS Marketplace", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "10.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO Spotfire Server", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "7.10.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "7.11.0"}, {"status": "affected", "version": "7.11.1"}, {"status": "affected", "version": "7.12.0"}, {"status": "affected", "version": "7.13.0"}, {"status": "affected", "version": "7.14.0"}, {"status": "affected", "version": "10.0.0"}]}], "datePublic": "2019-01-16T00:00:00", "descriptions": [{"lang": "en", "value": "The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "The impact of this vulnerability includes the theoretical possibility that an unauthenticated attacker could perform administrative functions provided by the web interface of the affected component.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-17T10:57:01", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"name": "106635", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106635"}, {"tags": ["x_refsource_MISC"], "url": "http://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.0.0 and below update to version 10.0.1 or higher\nTIBCO Spotfire Server versions 7.10.1 and below update to version 7.10.2 or higher\nTIBCO Spotfire Server versions 7.11.0, and 7.11.1 update to version 7.11.2 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, and 10.0.0 update to version 10.0.1 or higher\n"}], "source": {"discovery": "USER"}, "title": "TIBCO Spotfire Reflected and Persistent Cross-Site Scripting Vulnerabilities", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2019-01-16T17:00:00.000Z", "ID": "CVE-2018-18813", "STATE": "PUBLIC", "TITLE": "TIBCO Spotfire Reflected and Persistent Cross-Site Scripting Vulnerabilities"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO Spotfire Analytics Platform for AWS Marketplace", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "10.0.0"}]}}, {"product_name": "TIBCO Spotfire Server", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "7.10.1"}, {"affected": "=", "version_affected": "=", "version_value": "7.11.0"}, {"affected": "=", "version_affected": "=", "version_value": "7.11.1"}, {"affected": "=", "version_affected": "=", "version_value": "7.12.0"}, {"affected": "=", "version_affected": "=", "version_value": "7.13.0"}, {"affected": "=", "version_affected": "=", "version_value": "7.14.0"}, {"affected": "=", "version_affected": "=", "version_value": "10.0.0"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "The impact of this vulnerability includes the theoretical possibility that an unauthenticated attacker could perform administrative functions provided by the web interface of the affected component."}]}]}, "references": {"reference_data": [{"name": "106635", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106635"}, {"name": "http://www.tibco.com/services/support/advisories", "refsource": "MISC", "url": "http://www.tibco.com/services/support/advisories"}, {"name": "https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.0.0 and below update to version 10.0.1 or higher\nTIBCO Spotfire Server versions 7.10.1 and below update to version 7.10.2 or higher\nTIBCO Spotfire Server versions 7.11.0, and 7.11.1 update to version 7.11.2 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, and 10.0.0 update to version 10.0.1 or higher\n"}], "source": {"discovery": "USER"}}}}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2018-18813", "datePublished": "2019-01-16T00:00:00", "dateReserved": "2018-10-29T00:00:00", "dateUpdated": "2019-01-17T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1D10198-A17E-432F-BEB4-F98A8A067839", "versionEndIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA796C00-8493-40A3-BE34-3B5703194E7A", "versionEndIncluding": "7.10.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:7.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "F60AE38F-9603-47B1-9451-6A9B9D8FC065", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:7.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "08AE8942-B051-4142-BFAE-5D47B883B7A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:7.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F59A46F-9E34-4354-AB7D-73A253014BA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:7.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "97B691A6-B273-4880-AD61-53169C4C3CEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:7.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "47E57AE2-D98C-4231-9E56-A5EE8B5BC0AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:10.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "933FA68E-688B-40E6-A49B-952C3CC7123C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0."}, {"lang": "es", "value": "El componente del servidor web Spotfire de TIBCO Spotfire Analytics Platform for AWS Marketplace y TIBCO Spotfire Server, de TIBCO Software Inc., contiene m\u00faltiples vulnerabilidades que podr\u00edan permitir ataques de Componente persistente y reflejado. Las versiones afectadas de los productos de TIBCO Software Inc.son TIBCO Spotfire Analytics Platform for AWS Marketplace: versiones hasta e incluyendo la 10.0.0 y TIBCO Spotfire Server: versiones hasta e incluyendo las 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0 y la 10.0.0."}], "id": "CVE-2018-18813", "lastModified": "2019-10-09T23:37:26.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2019-01-16T22:29:00.310", "references": [{"source": "security@tibco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106635"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "http://www.tibco.com/services/support/advisories"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}