{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-3323","assignerOrgId":"4f830c72-39e4-45f6-a99f-78cc01ae04db","state":"PUBLISHED","assignerShortName":"tibco","dateReserved":"2024-04-04T17:01:23.280Z","datePublished":"2024-04-17T18:53:21.348Z","dateUpdated":"2024-08-01T20:05:08.445Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["UI Request/Response Validation"],"product":"JasperReports Server","vendor":"TIBCO","versions":[{"lessThan":"8.0.4","status":"affected","version":"8.0","versionType":"Hotfix"},{"lessThan":"8.2.0","status":"affected","version":"8.2","versionType":"Hotfix"}]}],"datePublic":"2024-04-09T16:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Cross Site Scripting in \n\nUI Request/Response Validation\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user's active session cookie via sending malicious link, enticing the user to interact."}],"value":"Cross Site Scripting in \n\nUI Request/Response Validation\n\n in TIBCO JasperReports Server 8.0.4 and 8.2.0 allows allows for the injection of malicious executable scripts into the code of a trusted application that may lead to stealing the user's active session cookie via sending malicious link, enticing the user to interact."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"orgId":"4f830c72-39e4-45f6-a99f-78cc01ae04db","shortName":"tibco","dateUpdated":"2024-04-17T18:53:21.348Z"},"references":[{"url":"https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/"}],"source":{"discovery":"UNKNOWN"},"title":"Reflected Cross Site Scripting (XSS) vulnerability","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-3323","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-22T21:35:25.685169Z"}}}],"affected":[{"cpes":["cpe:2.3:a:tibco:jasperreports_server:8.0.4:*:*:*:*:*:*:*"],"vendor":"tibco","product":"jasperreports_server","versions":[{"status":"affected","version":"8.0.4"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:a:tibco:jasperreports_server:8.2.0:*:*:*:*:*:*:*"],"vendor":"tibco","product":"jasperreports_server","versions":[{"status":"affected","version":"8.2.0"}],"defaultStatus":"unknown"}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:31:11.990Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T20:05:08.445Z"},"title":"CVE Program Container","references":[{"url":"https://community.tibco.com/advisories/tibco-security-advisory-april-9-2024-tibco-jasperreports-server-cve-2024-3323-r209/","tags":["x_transferred"]}]}]}}