CVE-2021-35499
📋 TL;DR
This stored XSS vulnerability in TIBCO Nimbus Web Reporting allows low-privileged attackers to inject malicious scripts that execute when legitimate users view affected pages. Attackers can social engineer users to perform actions like stealing session cookies or performing unauthorized operations. Affected systems are TIBCO Nimbus versions 10.4.0 and below.
💻 Affected Systems
- TIBCO Nimbus
📦 What is this software?
Nimbus by Tibco
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration, or ransomware deployment through social engineering of administrators
Likely Case
Session hijacking, credential theft, or unauthorized actions performed by tricked users
If Mitigated
Limited impact with proper input validation, output encoding, and user awareness training
🎯 Exploit Status
Requires authenticated low-privileged user and social engineering of other users
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.4.1 or later
Vendor Advisory: https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-26-2021-tibco-nimbus-2021-35499
Restart Required: Yes
Instructions:
1. Download TIBCO Nimbus 10.4.1 or later from TIBCO support portal. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart all Nimbus services.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or proxy filtering for script tags and JavaScript in user inputs
Content Security Policy
allImplement strict CSP headers to restrict script execution sources
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict low-privileged user access to Web Reporting component
- Implement user awareness training about suspicious links and content
🔍 How to Verify
Check if Vulnerable:
Check TIBCO Nimbus version via admin console or installation directory propertiesCheck Version:
Check %NIMBUS_HOME%\version.txt on Windows or $NIMBUS_HOME/version.txt on LinuxVerify Fix Applied:
Verify version is 10.4.1 or later and test XSS payloads in Web Reporting inputs📡 Detection & Monitoring
Log Indicators:
- Unusual script tags in user inputs
- Multiple failed XSS attempts in web logs
Network Indicators:
- Suspicious JavaScript payloads in HTTP POST requests to reporting endpoints
SIEM Query:
source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND uri="*/reporting*"🔗 References
- https://www.tibco.com/services/support/advisories
- https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-26-2021-tibco-nimbus-2021-35499
- https://www.tibco.com/services/support/advisories
- https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-26-2021-tibco-nimbus-2021-35499
