• TIBCO Security Advisory: October 10, 2023 - TIBCO Spotfire - CVE-2023-26220

  TIBCO Spotfire Stored Cross-site Scripting (XSS) vulnerability

  Original release date: October 10, 2023
  Last revised: —
  CVE-2023-26220
  Source: TIBCO Software Inc.

   

• Description
   

  The component listed above contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker.
   

  Impact

  
  Successful execution of this vulnerability will result in an attacker being able to invoke [web] services with the privileges of the affected user.

  CVSS v3.1 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

TIBCO has released updated versions of the affected systems which address this issue:

• TIBCO Spotfire Analyst versions 11.4.7 and below: update to version 11.4.8 or higher
• TIBCO Spotfire Analyst versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3 and 12.0.4: update to version 12.0.5 or higher
• TIBCO Spotfire Analyst versions 12.1.0 and 12.1.1: update to version 12.5.0 or higher
• TIBCO Spotfire Server versions 11.4.11 and below: update to 11.4.12 or higher
• TIBCO Spotfire Server versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4 and 12.0.5: update to 12.0.6 or higher
• TIBCO Spotfire Server versions 12.1.0 and 12.1.1: update to 12.5.0 or higher