{"api_version":"1","generated_at":"2026-04-23T00:59:14+00:00","cve":"CVE-2017-7463","urls":{"html":"https://cve.report/CVE-2017-7463","api":"https://cve.report/api/cve/CVE-2017-7463.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-7463","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-7463"},"summary":{"title":"CVE-2017-7463","description":"JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-07-27 18:29:00","updated_at":"2019-10-09 23:29:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2017:1218","name":"RHSA-2017:1218","refsource":"REDHAT","tags":["Broken Link","Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/98385","name":"98385","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Red Hat JBoss BRMS and BPM Suite CVE-2017-7463 Cross Site Scripting Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"1439823 – (CVE-2017-7463) CVE-2017-7463 business-central: Reflected XSS in artifact upload error message","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:1217","name":"RHSA-2017:1217","refsource":"REDHAT","tags":["Broken Link","Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-7463","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7463","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"7463","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_bpm_suite","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7463","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_bpm_suite","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2017-7463","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"business-central","version":{"version_data":[{"version_value":"6.4.3"}]}}]},"vendor_name":"Red Hat"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user."}]},"impact":{"cvss":[[{"vectorString":"6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79"}]}]},"references":{"reference_data":[{"name":"RHSA-2017:1217","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:1217"},{"name":"RHSA-2017:1218","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:1218"},{"name":"98385","refsource":"BID","url":"http://www.securityfocus.com/bid/98385"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7463"}]}},"nvd":{"publishedDate":"2018-07-27 18:29:00","lastModifiedDate":"2019-10-09 23:29:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_bpm_suite:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"7463","Ordinal":"104268","Title":"CVE-2017-7463","CVE":"CVE-2017-7463","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"7463","Ordinal":"1","NoteData":"JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"7463","Ordinal":"2","NoteData":"2018-07-27","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"7463","Ordinal":"3","NoteData":"2018-07-28","Type":"Other","Title":"Modified"}]}}}