CVE-2013-6465

Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1048380	Issue Tracking Patch
https://github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04	Patch
https://github.com/kiegroup/jbpm-wb/compare/6.0.x	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jbpm:6.0.0:::::::*
	cpe:2.3:a:redhat:jbpm:6.0.0:alpha7::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:alpha9::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:beta1::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:beta2::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:beta3::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:beta4::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:beta5::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:cr1::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:cr2::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:cr3::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:cr4::::::
	cpe:2.3:a:redhat:jbpm:6.0.0:cr5::::::

History

No history.

Information

Published : 2017-12-19 19:29

Updated : 2024-02-04 19:29

NVD link : CVE-2013-6465

Mitre link : CVE-2013-6465

CVE.ORG link : CVE-2013-6465

JSON object : View

Products Affected

redhat

jbpm

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2013-6465", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-12-19T19:29:00.203", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1048380", "tags": ["Issue Tracking", "Patch"], "source": "secalert@redhat.com"}, {"url": "https://github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "https://github.com/kiegroup/jbpm-wb/compare/6.0.x", "tags": ["Release Notes"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades Cross-Site Scripting (XSS) en JBPM KIE Workbench 6.0.x permiten que los usuarios autenticados remotos inyecten scripts web o HTML arbitrarios a trav\u00e9s de vectores relacionados con las entradas HTML de nombres de tareas."}], "lastModified": "2018-01-05T16:20:44.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E5AB5CC-29F3-4630-9824-32B7B10021DD"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:alpha7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A3D607A-31DE-400B-9A5F-A0B4BB6E95B0"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:alpha9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "920CD330-41FD-4B5A-9919-62AF7A56E452"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F432B6D6-B484-44E4-9659-87D56612B6DE"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2413BA36-7B43-4F7A-9362-E970C20A7F03"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6DA6A0E-75D6-443F-9359-B2A08F774626"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2986F76F-380A-4994-94AE-2BF5784DE416"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56DF7DFA-8A94-4745-AAC1-8BC0069392D5"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:cr1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDD3EA3D-DD86-4209-BD85-2E95DB2125BC"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:cr2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BADBBAC-DB44-45BC-8F4E-4278AEA38B30"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:cr3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F3C1CB4-F7D2-458A-9EF0-6C0109FA0FF0"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:cr4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC4DE0BB-6894-4C7B-AF11-6D8597C178D0"}, {"criteria": "cpe:2.3:a:redhat:jbpm:6.0.0:cr5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8EC5237-CBB0-4CCE-ACCF-0DF526EDDD78"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}