Description

Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1048380

https://github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04

https://github.com/kiegroup/jbpm-wb/compare/6.0.x

Related Vulnerabilities

CVE-2023-36665 Vulnerability in maven package org.webjars.npm:github-com-protobufjs-protobuf-js

CVE-2023-0846 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2023-49803 Vulnerability in maven package org.webjars.npm:koa__cors

CVE-2023-25570 Vulnerability in maven package com.ctrip.framework.apollo:apollo

CVE-2019-17633 Vulnerability in maven package org.eclipse.che:assembly-wsmaster-war

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Release Notes