Details of VAR-201908-1786

ID

VAR-201908-1786

CVE

CVE-2019-11207

TITLE

TIBCO Software Inc. TIBCO LogLogic Enterprise Virtual Appliance and TIBCO LogLogic Log Management Intelligence Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-008024

DESCRIPTION

The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks. This issue affects: TIBCO Software Inc. TIBCO LogLogic Enterprise Virtual Appliance version 6.2.1 and prior versions. TIBCO Software Inc. TIBCO LogLogic Log Management Intelligence 6.2.1. TIBCO LogLogic LX825 Appliance 0.0.004, TIBCO LogLogic LX1025 Appliance 0.0.004, TIBCO LogLogic LX4025 Appliance 0.0.004, TIBCO LogLogic MX3025 Appliance 0.0.004, TIBCO LogLogic MX4025 Appliance 0.0.004, TIBCO LogLogic ST1025 Appliance 0.0.004, TIBCO LogLogic ST2025-SAN Appliance 0.0.004, and TIBCO LogLogic ST4025 Appliance 0.0.004 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. TIBCO LogLogic LX1035 Appliance 0.0.005, TIBCO LogLogic LX1025R1 Appliance 0.0.004, TIBCO LogLogic LX1025R2 Appliance 0.0.004, TIBCO LogLogic LX4025R1 Appliance 0.0.004, TIBCO LogLogic LX4025R2 Appliance 0.0.004, TIBCO LogLogic LX4035 Appliance 0.0.005, TIBCO LogLogic ST2025-SANR1 Appliance 0.0.004, TIBCO LogLogic ST2025-SANR2 Appliance 0.0.004, TIBCO LogLogic ST2035-SAN Appliance 0.0.005, TIBCO LogLogic ST4025R1 Appliance 0.0.004, TIBCO LogLogic ST4025R2 Appliance 0.0.004, and TIBCO LogLogic ST4035 Appliance 0.0.005 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-11207 // JVNDB: JVNDB-2019-008024 // VULHUB: VHN-142830

AFFECTED PRODUCTS

vendor:	tibco	model:	loglogic enterprise virtual appliance	scope:	lte	version:	6.2.1	Trust: 1.8
vendor:	tibco	model:	loglogic lx1025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic lx4025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic lx825	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic mx3025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic mx4025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic st1025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic st2025-san	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic st4025	scope:	eq	version:	0.0.004	Trust: 1.8
vendor:	tibco	model:	loglogic lx1025r2	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic st2035-san	scope:	eq	version:	0.0.005	Trust: 1.0
vendor:	tibco	model:	loglogic st4035	scope:	eq	version:	0.0.005	Trust: 1.0
vendor:	tibco	model:	loglogic lx4025r1	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic lx1025r1	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic lx4025r2	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic lx1035	scope:	eq	version:	0.0.005	Trust: 1.0
vendor:	tibco	model:	loglogic st4025r2	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic st4025r1	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic st2025-sanr1	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic log management intelligence	scope:	lte	version:	6.2.1	Trust: 1.0
vendor:	tibco	model:	loglogic lx4035	scope:	eq	version:	0.0.005	Trust: 1.0
vendor:	tibco	model:	loglogic st2025-sanr2	scope:	eq	version:	0.0.004	Trust: 1.0
vendor:	tibco	model:	loglogic log management intelligence	scope:	eq	version:	6.2.1	Trust: 0.8

sources: JVNDB: JVNDB-2019-008024 // NVD: CVE-2019-11207

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-11207
value:	HIGH
Trust: 1.0
security@tibco.com:	CVE-2019-11207
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-11207
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-916
value:	HIGH
Trust: 0.6
VULHUB:	VHN-142830
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-11207
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-142830
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-11207
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-142830 // JVNDB: JVNDB-2019-008024 // CNNVD: CNNVD-201908-916 // NVD: CVE-2019-11207 // NVD: CVE-2019-11207

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.9
problemtype:	CWE-79	Trust: 1.9

sources: VULHUB: VHN-142830 // JVNDB: JVNDB-2019-008024 // NVD: CVE-2019-11207

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-916

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201908-916

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008024

PATCH

title:	Security Advisories	url:	https://www.tibco.com/services/support/advisories	Trust: 0.8
title:	TIBCO Security Advisory: August 13, 2019 - TIBCO LogLogic Log Management Intelligence	url:	https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-13-2019-tibco-loglogic-log-management-intelligence	Trust: 0.8
title:	TIBCO LogLogic Enterprise Virtual Appliance and TIBCO LogLogic Log Management Intelligence Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96601	Trust: 0.6

sources: JVNDB: JVNDB-2019-008024 // CNNVD: CNNVD-201908-916

EXTERNAL IDS

db:	NVD	id:	CVE-2019-11207	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-008024	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-916	Trust: 0.7
db:	VULHUB	id:	VHN-142830	Trust: 0.1

sources: VULHUB: VHN-142830 // JVNDB: JVNDB-2019-008024 // CNNVD: CNNVD-201908-916 // NVD: CVE-2019-11207

REFERENCES

url:	http://www.tibco.com/services/support/advisories	Trust: 1.7
url:	https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-13-2019-tibco-loglogic-log-management-intelligence	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11207	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11207	Trust: 0.8

sources: VULHUB: VHN-142830 // JVNDB: JVNDB-2019-008024 // CNNVD: CNNVD-201908-916 // NVD: CVE-2019-11207

SOURCES

db:	VULHUB	id:	VHN-142830
db:	JVNDB	id:	JVNDB-2019-008024
db:	CNNVD	id:	CNNVD-201908-916
db:	NVD	id:	CVE-2019-11207

LAST UPDATE DATE

2024-11-23T23:08:16.429000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-142830	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-008024	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-916	date:	2019-09-04T00:00:00
db:	NVD	id:	CVE-2019-11207	date:	2024-11-21T04:20:43.640

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-142830	date:	2019-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-008024	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-916	date:	2019-08-13T00:00:00
db:	NVD	id:	CVE-2019-11207	date:	2019-08-13T21:15:11.287