CVE-2023-26218

The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.6.0 and below.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.tibco.com/services/support/advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tibco:nimbus:*:*:*:*:*:*:*:*

History

04 Oct 2023, 01:37

Type	Values Removed	Values Added
References	~~(MISC) https://www.tibco.com/services/support/advisories -~~	(MISC) https://www.tibco.com/services/support/advisories - Vendor Advisory
CPE		cpe:2.3:a:tibco:nimbus::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.0
CWE		CWE-79
First Time		Tibco Tibco nimbus

29 Sep 2023, 18:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-29 18:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-26218

Mitre link : CVE-2023-26218

CVE.ORG link : CVE-2023-26218

JSON object : View

Products Affected

tibco

nimbus

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-26218", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security@tibco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2023-09-29T18:15:09.687", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security@tibco.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.6.0 and below.\n\n"}, {"lang": "es", "value": "El componente de cliente web de TIBCO Nimbus de TIBCO Software Inc. contiene vulnerabilidades de Cross Site Scripting (XSS) reflejada f\u00e1cilmente explotables que permiten a un atacante con pocos privilegios realizar ingenier\u00eda social a un usuario leg\u00edtimo con acceso a la red para ejecutar scripts dirigidos al sistema afectado o al sistema local de la v\u00edctima. Un ataque exitoso que utilice esta vulnerabilidad requiere la interacci\u00f3n humana de una persona distinta del atacante. Las versiones afectadas son TIBCO Nimbus de TIBCO Software Inc.: versiones 10.6.0 e inferiores."}], "lastModified": "2023-10-04T01:37:39.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tibco:nimbus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0515064-C408-4345-8EB8-2AA11EBFDD47", "versionEndExcluding": "10.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@tibco.com"}