Open redirect in TIBCO products - CVE-2019-8994
Published: September 20, 2019
Vulnerability identifier: #VU21224
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-8994
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TIBCO
Affected software:
TIBCO Silver Fabric Enabler for ActiveMatrix BPM
TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric
TIBCO ActiveMatrix BPM
TIBCO Silver Fabric Enabler for ActiveMatrix BPM
TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric
TIBCO ActiveMatrix BPM
Detailed vulnerability description
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the Workspace client component. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
How to mitigate CVE-2019-8994
Install updates from vendor's website.