CVE-2020-9410

Name of the Vulnerable Software and Affected Versions: TIBCO JasperReports Library versions 7.1.1 and below, 7.2.0, 7.2.1, 7.3.0, 7.5.0 TIBCO JasperReports Library for ActiveMatrix BPM versions 7.1.1 and below TIBCO JasperReports Server versions 7.1.1 and below, 7.2.0, 7.5.0 TIBCO JasperReports Server for AWS Marketplace versions 7.5.0 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below

Description: The report generator component of TIBCO Software Inc.'s products contains a vulnerability related to insufficient neutralization of special elements in output, which can be exploited to gain full control of a web interface with the privileges of any user viewing the affected report. This can be achieved through HTML injection when other users view a maliciously generated report that uses Fusion Charts and a data source controlled by the attacker.

Recommendations: For TIBCO JasperReports Library versions 7.1.1 and below, 7.2.0, 7.2.1, 7.3.0, 7.5.0: Update to a version that includes the fix for this issue. For TIBCO JasperReports Library for ActiveMatrix BPM versions 7.1.1 and below: Update to a version that includes the fix for this issue. For TIBCO JasperReports Server versions 7.1.1 and below, 7.2.0, 7.5.0: Update to a version that includes the fix for this issue. For TIBCO JasperReports Server for AWS Marketplace versions 7.5.0 and below: Update to a version that includes the fix for this issue. For TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below: Update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to reports that use Fusion Charts and a data source with contents controlled by the attacker until a patch is available.