Description

Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1048380

https://github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04

https://github.com/kiegroup/jbpm-wb/compare/6.0.x

Related Vulnerabilities

CVE-2021-29442 Vulnerability in maven package com.alibaba.nacos:nacos-common

CVE-2021-33623 Vulnerability in npm package trim-newlines

CVE-2023-28155 Vulnerability in npm package request

CVE-2019-14862 Vulnerability in maven package org.webjars.bower:knockout

CVE-2023-25158 Vulnerability in maven package org.geotools:gt-main

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Release Notes