CVE-2017-7463

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.

Published: Jul 27, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-7463
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
redhat / jboss_bpm_suite	6.0.0	6.4.3

http://www.securityfocus.com/bid/98385
https://access.redhat.com/errata/RHSA-2017:1217
https://access.redhat.com/errata/RHSA-2017:1218
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463

Vulnerability Database

289,599

CVE-2017-7463