SB2019081343 - Multiple vulnerabilities in TIBCO LogLogic Log Management Intelligence

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Reflected cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and perform administrative functions provided by the web interface of the affected component.

2) Cross-site request forgery (CVE-ID: CVE-2019-11207)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform administrative functions provided by the web interface of the affected component.

Remediation

Install update from vendor's website.

References

• http://www.tibco.com/services/support/advisories
• https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-13-2019-tibco-loglogic-log-management-intelligence