Moderate severityOSV Advisory· Published Jan 3, 2019· Updated Sep 17, 2024

CVE-2018-20663

Description

The CUBA Platform Reports Addon through 6.10.x is vulnerable to persistent XSS via the report name field in the Reports interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The CUBA Platform Reports Addon through 6.10.x is vulnerable to persistent XSS via the report name field in the Reports interface.

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in the Reporting Addon (also called the Reports Addon) for the CUBA Platform through version 6.10.x. The flaw is triggered when an attacker injects malicious JavaScript into the name field of a report via the "Reports > Reports" interface. The injected script is stored and later served to other users who view that report, leading to code execution in the context of the victim's session. [1]

Exploitation

An attacker must have authenticated access to the CUBA Platform with sufficient privileges to create or edit reports. The attacker enters a malicious payload in the report name field; no additional user interaction beyond viewing the affected report is required for the payload to execute. [1]

Impact

Successful exploitation allows arbitrary JavaScript execution in the browser of any user who accesses the compromised report. This can lead to session hijacking, information disclosure, and other actions that the victim's session permits. The impact is limited to the browser context and the privileges of the affected user. [1]

Mitigation

The NVD entry and available references do not specify a patched version. The advisory references commit [2], [3], and [4] which modify tab tooltip content mode, but these appear unrelated to the report name input. As of the publication date, users are advised to sanitize report name input or restrict report creation to trusted users until an official fix is released by the vendor. [1][2][3][4]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.haulmont.cuba:cuba-web-toolkitMaven	>= 6.10.0, < 6.10.7	6.10.7
com.haulmont.cuba:cuba-web-toolkitMaven	>= 6.9.0, < 6.9.8	6.9.8
com.haulmont.cuba:cuba-web-toolkitMaven	< 6.8.15	6.8.15

Affected products

Cuba Platform/CubaOSV
Range: 6.10.0, 6.10.0-BETA1, 6.10.0.BETA1, …
ghsa-coords
pkg:maven/com.haulmont.cuba/cuba-web-toolkit
Range: >= 6.10.0, < 6.10.7

Patches

be6aa41ff36a

Use ContentMode.TEXT for the TabSheet tab description tooltips #1741

https://github.com/cuba-platform/cubaGleb GorelovJan 9, 2019via ghsa

commit

3 files changed · +31 −1

modules/global/src/com/haulmont/cuba/bom.properties+1 −1 modified

@@ -89,7 +89,7 @@ org.javassist/javassist = 3.21.0-GA
 org.hibernate/hibernate-validator = 5.4.2.Final
 org.glassfish.web/javax.el = 2.2.6
 
-com.vaadin = 7.7.13.cuba.11
+com.vaadin = 7.7.15.cuba.4
 com.vaadin/vaadin-shared = ${com.vaadin}
 com.vaadin/vaadin-server = ${com.vaadin}
 com.vaadin/vaadin-client = ${com.vaadin}

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetConnector.java+7 −0 modified

@@ -17,6 +17,7 @@
 
 package com.haulmont.cuba.web.toolkit.ui.client.tabsheet;
 
+import com.google.gwt.dom.client.Element;
 import com.google.gwt.event.dom.client.ContextMenuEvent;
 import com.haulmont.cuba.web.toolkit.ui.CubaTabSheet;
 import com.haulmont.cuba.web.toolkit.ui.client.action.RemoteAction;
@@ -103,4 +104,10 @@ public void onStateChanged(StateChangeEvent stateChangeEvent) {
 
         getWidget().assignAdditionalCellStyles();
     }
+
+    @Override
+    protected Object findTabCaption(Element element) {
+        return WidgetUtil.findWidget(element,
+                CubaTabSheetWidget.CubaTabCaption.class);
+    }
 }
\ No newline at end of file

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetWidget.java+23 −0 modified

@@ -31,10 +31,12 @@
 import com.google.gwt.user.client.ui.Widget;
 import com.haulmont.cuba.web.toolkit.ui.client.appui.ValidationErrorHolder;
 import com.vaadin.client.ComputedStyle;
+import com.vaadin.client.TooltipInfo;
 import com.vaadin.client.WidgetUtil;
 import com.vaadin.client.ui.VTabsheet;
 import com.vaadin.client.ui.dd.VDragAndDropManager;
 import com.vaadin.client.ui.dd.VDragEvent;
+import com.vaadin.shared.ui.label.ContentMode;
 import com.vaadin.shared.ui.tabsheet.TabState;
 import fi.jasoft.dragdroplayouts.client.ui.tabsheet.VDDTabSheet;
 
@@ -183,6 +185,27 @@ public void onClose() {
 
             super.onClose();
         }
+
+        @Override
+        protected TabCaption createTabCaption() {
+            return new CubaTabCaption(this);
+        }
+    }
+
+    public static class CubaTabCaption extends TabCaption {
+
+        public CubaTabCaption(Tab tab) {
+            super(tab);
+        }
+
+        @Override
+        protected TooltipInfo createTooltipInfo(TabState tabState) {
+            TooltipInfo tooltipInfo = new TooltipInfo(tabState.description,
+                    tabState.componentError, this,
+                    tabState.componentErrorLevel);
+            tooltipInfo.setContentMode(ContentMode.TEXT);
+            return tooltipInfo;
+        }
     }
 
     @Override

e9f972beeae4

Use ContentMode.TEXT for the TabSheet tab description tooltips #1741

https://github.com/cuba-platform/cubaGleb GorelovJan 9, 2019via ghsa

commit

3 files changed · +31 −1

modules/global/src/com/haulmont/cuba/bom.properties+1 −1 modified

@@ -93,7 +93,7 @@ org.javassist/javassist = 3.21.0-GA
 org.hibernate/hibernate-validator = 5.4.2.Final
 org.glassfish.web/javax.el = 2.2.6
 
-com.vaadin = 7.7.14.cuba.2
+com.vaadin = 7.7.15.cuba.4
 com.vaadin/vaadin-shared = ${com.vaadin}
 com.vaadin/vaadin-server = ${com.vaadin}
 com.vaadin/vaadin-client = ${com.vaadin}

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetConnector.java+7 −0 modified

@@ -17,6 +17,7 @@
 
 package com.haulmont.cuba.web.toolkit.ui.client.tabsheet;
 
+import com.google.gwt.dom.client.Element;
 import com.google.gwt.event.dom.client.ContextMenuEvent;
 import com.haulmont.cuba.web.toolkit.ui.CubaTabSheet;
 import com.haulmont.cuba.web.toolkit.ui.client.action.RemoteAction;
@@ -103,4 +104,10 @@ public void onStateChanged(StateChangeEvent stateChangeEvent) {
 
         getWidget().assignAdditionalCellStyles();
     }
+
+    @Override
+    protected Object findTabCaption(Element element) {
+        return WidgetUtil.findWidget(element,
+                CubaTabSheetWidget.CubaTabCaption.class);
+    }
 }
\ No newline at end of file

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetWidget.java+23 −0 modified

@@ -31,10 +31,12 @@
 import com.google.gwt.user.client.ui.Widget;
 import com.haulmont.cuba.web.toolkit.ui.client.appui.ValidationErrorHolder;
 import com.vaadin.client.ComputedStyle;
+import com.vaadin.client.TooltipInfo;
 import com.vaadin.client.WidgetUtil;
 import com.vaadin.client.ui.VTabsheet;
 import com.vaadin.client.ui.dd.VDragAndDropManager;
 import com.vaadin.client.ui.dd.VDragEvent;
+import com.vaadin.shared.ui.label.ContentMode;
 import com.vaadin.shared.ui.tabsheet.TabState;
 import fi.jasoft.dragdroplayouts.client.ui.tabsheet.VDDTabSheet;
 
@@ -183,6 +185,27 @@ public void onClose() {
 
             super.onClose();
         }
+
+        @Override
+        protected TabCaption createTabCaption() {
+            return new CubaTabCaption(this);
+        }
+    }
+
+    public static class CubaTabCaption extends TabCaption {
+
+        public CubaTabCaption(Tab tab) {
+            super(tab);
+        }
+
+        @Override
+        protected TooltipInfo createTooltipInfo(TabState tabState) {
+            TooltipInfo tooltipInfo = new TooltipInfo(tabState.description,
+                    tabState.componentError, this,
+                    tabState.componentErrorLevel);
+            tooltipInfo.setContentMode(ContentMode.TEXT);
+            return tooltipInfo;
+        }
     }
 
     @Override

ec8784d8f596

Use ContentMode.TEXT for the TabSheet tab description tooltips #1741

https://github.com/cuba-platform/cubaGleb GorelovJan 9, 2019via ghsa

commit

3 files changed · +31 −1

modules/global/src/com/haulmont/cuba/bom.properties+1 −1 modified

@@ -93,7 +93,7 @@ org.javassist/javassist = 3.23.1-GA
 org.hibernate/hibernate-validator = 5.4.2.Final
 org.glassfish.web/javax.el = 2.2.6
 
-com.vaadin = 7.7.15.cuba.3
+com.vaadin = 7.7.15.cuba.4
 com.vaadin/vaadin-shared = ${com.vaadin}
 com.vaadin/vaadin-server = ${com.vaadin}
 com.vaadin/vaadin-client = ${com.vaadin}

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetConnector.java+7 −0 modified

@@ -17,6 +17,7 @@
 
 package com.haulmont.cuba.web.toolkit.ui.client.tabsheet;
 
+import com.google.gwt.dom.client.Element;
 import com.google.gwt.event.dom.client.ContextMenuEvent;
 import com.haulmont.cuba.web.toolkit.ui.CubaTabSheet;
 import com.haulmont.cuba.web.toolkit.ui.client.action.RemoteAction;
@@ -103,4 +104,10 @@ public void onStateChanged(StateChangeEvent stateChangeEvent) {
 
         getWidget().assignAdditionalCellStyles();
     }
+
+    @Override
+    protected Object findTabCaption(Element element) {
+        return WidgetUtil.findWidget(element,
+                CubaTabSheetWidget.CubaTabCaption.class);
+    }
 }
\ No newline at end of file

modules/web-toolkit/src/com/haulmont/cuba/web/toolkit/ui/client/tabsheet/CubaTabSheetWidget.java+23 −0 modified

@@ -31,10 +31,12 @@
 import com.google.gwt.user.client.ui.Widget;
 import com.haulmont.cuba.web.toolkit.ui.client.appui.ValidationErrorHolder;
 import com.vaadin.client.ComputedStyle;
+import com.vaadin.client.TooltipInfo;
 import com.vaadin.client.WidgetUtil;
 import com.vaadin.client.ui.VTabsheet;
 import com.vaadin.client.ui.dd.VDragAndDropManager;
 import com.vaadin.client.ui.dd.VDragEvent;
+import com.vaadin.shared.ui.label.ContentMode;
 import com.vaadin.shared.ui.tabsheet.TabState;
 import fi.jasoft.dragdroplayouts.client.ui.tabsheet.VDDTabSheet;
 
@@ -183,6 +185,27 @@ public void onClose() {
 
             super.onClose();
         }
+
+        @Override
+        protected TabCaption createTabCaption() {
+            return new CubaTabCaption(this);
+        }
+    }
+
+    public static class CubaTabCaption extends TabCaption {
+
+        public CubaTabCaption(Tab tab) {
+            super(tab);
+        }
+
+        @Override
+        protected TooltipInfo createTooltipInfo(TabState tabState) {
+            TooltipInfo tooltipInfo = new TooltipInfo(tabState.description,
+                    tabState.componentError, this,
+                    tabState.componentErrorLevel);
+            tooltipInfo.setContentMode(ContentMode.TEXT);
+            return tooltipInfo;
+        }
     }
 
     @Override

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rff7-964g-pppxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-20663ghsaADVISORY
github.com/cuba-platform/cuba/commit/be6aa41ff36a365e2a995d37861e5acfcd32c2c5ghsaWEB
github.com/cuba-platform/cuba/commit/e9f972beeae42dc6dbc3aaa6b6ecc9814c0eedb4ghsaWEB
github.com/cuba-platform/cuba/commit/ec8784d8f596aa570604f4e5d5d4a7c3ae264c62ghsaWEB
github.com/cuba-platform/cuba/issues/1741ghsaWEB
github.com/cuba-platform/reports/issues/140ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000