Description

Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs.

Remediation

References

https://github.com/kiegroup/jbpm-wb/compare/6.0.x

https://github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04

https://bugzilla.redhat.com/show_bug.cgi?id=1048380

Related Vulnerabilities

CVE-2021-43783 Vulnerability in npm package @backstage/plugin-scaffolder-backend

CVE-2020-36183 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-34093 Vulnerability in npm package @strapi/utils

CVE-2021-4264 Vulnerability in maven package org.webjars.npm:dustjs-linkedin

CVE-2023-30541 Vulnerability in npm package @openzeppelin/contracts-upgradeable

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Release Notes Patch Issue Tracking