TIBCO Spotfire Web Player vulnerabilities

   Original release date: March 13, 2013
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Spotfire Web Player below 3.3.3
   TIBCO Spotfire Web Player version 4.0.X below 4.0.3
   TIBCO Spotfire Web Player version 4.5.0
   TIBCO Spotfire Web Player version 5.0.0

   The following components are affected:

     * TIBCO Spotfire Web Player Engine


Description

   The TIBCO Spotfire Web Player components listed above contain critical
   vulnerabilities in the handling of HTTP requests:

   CVE-2013-2372 - A cross-site scripting vulnerability exists which 
   may allow an attacker to view or modify information.

   CVE-2013-2373 - Access controls will not be properly enforced in some
   circumstances.  This may allow unauthorized users to access or modify
   information.

   TIBCO has released updated versions of the affected software products
   which address these issues.  TIBCO strongly recommends sites running the 
   affected components install the applicable update as described below.


Impact

   The impact of these vulnerabilities may include information disclosure
   and information modification.


Solution

   For each affected system, update to the corresponding software versions:
 
   TIBCO Spotfire Web Player version 3.3.X version 3.3.3 or higher
   TIBCO Spotfire Web Player version 4.0.X version 4.0.3 or higher
   TIBCO Spotfire Web Player version 4.5.X version 4.5.1 or higher
   TIBCO Spotfire Web Player version 5.0.1 or higher


References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2013-2372, CVE-2013-2373