TIBCO Managed File Transfer Products Cross-Site Scripting and Session Fixation Vulnerabilities
Description
Two vulnerabilities have been reported in multiple TIBCO Managed File Transfer products, which can be exploited by malicious people to conduct cross-site scripting and session fixation attacks.
1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) An error in the handling of sessions can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.
The vulnerabilities are reported in the following products:
* TIBCO Managed File Transfer Internet Server versions 7.1.0 and prior.
* TIBCO Managed File Transfer Command Center versions 7.1.0 and prior.
* TIBCO Slingshot versions 1.8.0 and prior.
Vulnerable Products
Vulnerable Software: TIBCO Managed File Transfer Command Center 7.xTIBCO Managed File Transfer Internet Server 7.xTIBCO Slingshot 1.x
Solution
Update to a fixed version.TIBCO Managed File Transfer Internet Server:Update to version 7.1.1.TIBCO Managed File Transfer Command Center:Update to version 7.1.1.TIBCO Slingshot:Update to version 1.8.1.
