BID:105861

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

CVE-2018-12412 |

Info

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

Bugtraq ID:	105861
Class:	Input Validation Error
CVE:	CVE-2018-12412
Remote:	Yes
Local:	No
Published:	Nov 06 2018 12:00AM
Updated:	Nov 06 2018 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	TIBCO FTL - Enterprise Edition 5.4 TIBCO FTL - Enterprise Edition 5.3.1 TIBCO FTL - Enterprise Edition 5.3 TIBCO FTL - Enterprise Edition 5.2 TIBCO FTL - Enterprise Edition 5.1 TIBCO FTL - Enterprise Edition 5.0 TIBCO FTL - Developer Edition 5.4 TIBCO FTL - Developer Edition 5.3.1 TIBCO FTL - Developer Edition 5.3 TIBCO FTL - Developer Edition 5.2 TIBCO FTL - Developer Edition 5.1 TIBCO FTL - Developer Edition 5.0 TIBCO FTL - Community Edition 5.2 TIBCO FTL - Community Edition 5.1 TIBCO FTL - Community Edition 5.0 TIBCO FTL - Community Edition 5.4.0 TIBCO FTL - Community Edition 5.3.1 TIBCO FTL - Community Edition 5.3.0

Not Vulnerable:	TIBCO FTL - Enterprise Edition 5.4.1 TIBCO FTL - Developer Edition 5.4.1 TIBCO FTL - Community Edition 5.4.1

Discussion

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

TIBCO FTL is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

The following versions are vulnerable:

TIBCO FTL - Community Edition versions 5.4.0 and prior
TIBCO FTL - Developer Edition versions 5.4.0 and prior
TIBCO FTL - Enterprise Edition versions 5.4.0 and prior

Exploit / POC

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Solution / Fix

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

References

TIBCO FTL Realm Server CVE-2018-12412 Cross Site Request Forgery Vulnerability

References:

TIBCO Homepage (TIBCO)
TIBCO Security Advisory: November 6, 2018 - TIBCO FTL (TIBCO)