{
  "threat_severity" : "Low",
  "public_date" : "2016-09-06T00:00:00Z",
  "bugzilla" : {
    "description" : "bpms: stored XSS in dashbuilder",
    "id" : "1373344",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1373344"
  },
  "cvss" : {
    "cvss_base_score" : "4.0",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via dashbuilder. Remote, authenticated attackers that have privileges to access dashbuilder (usually admins) can store scripts in several editable fields, which are not properly sanitized before showing to other users, including other admins." ],
  "acknowledgement" : "This issue was discovered by Jeremy Choi (Red Hat Product Security Team).",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss BPMS 6.4",
    "release_date" : "2017-02-02T00:00:00Z",
    "advisory" : "RHSA-2017:0249",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Affected",
    "package_name" : "dashbuilder",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Not affected",
    "package_name" : "dashbuilder",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-7033\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7033" ],
  "name" : "CVE-2016-7033",
  "csaw" : false
}