TIBCO Collaborative Information Manager and ActiveCatalog contain a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Upgrade TIBCO Collaborative Information Manager to version 8.1.0 or higher and ActiveCatalog to version 1.0.1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1024942
• CVE ID: 2010-4497 (see also: NVD)
• Secunia Advisory ID: 42791
• Bugtraq ID: 45691
• ISS X-Force ID: 64521
• VUPEN Advisory: ADV-2011-0037
• Vendor Specific News/Changelog Entry: http://www.tibco.com/multimedia/cim_advisory_20110105_tcm8-12765.txt
  http://www.tibco.com/services/support/advisories/cim-advisory_20100105.jsp

• Not Available