National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:redhat:jboss_bpm_suite:6.0.0
There are 11 matching records.
Vuln ID Summary CVSS Severity
CVE-2016-6343

JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.

Published: October 31, 2018; 09:29:00 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2016-8608

JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Published: August 01, 2018; 10:29:00 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2017-7463

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.

Published: July 27, 2018; 02:29:01 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2017-2674

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Published: July 27, 2018; 02:29:01 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2017-2658

It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).

Published: July 27, 2018; 02:29:01 PM -04:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-7501

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Published: November 09, 2017; 12:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2016-5401

Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.

Published: April 20, 2017; 05:59:00 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2016-5398

Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes.

Published: October 03, 2016; 02:59:06 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2016-4999

SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

Published: August 05, 2016; 11:59:06 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2015-1818

XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) in Red Hat JBoss BPM Suite before 6.1.2 allows remote attackers to read arbitrary files, conduct server-side request forgery (SSRF) attacks, and have other unspecified impact via a crafted XML document.

Published: August 11, 2015; 10:59:00 AM -04:00
V2: 7.5 HIGH
CVE-2013-6468

JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.

Published: April 10, 2014; 04:29:20 PM -04:00
V2: 6.5 MEDIUM