Vulnerability CVE-2014-0824


Published: 2014-05-26

Description:
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.8 LAFIX.20140319-0839 and 7.1.1.12 before IFIX.20140321-1336 and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.8 LAFIX.20140319-0839 and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to inject arbitrary web script or HTML via an attachment URL.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: IBM
Product: Change and configuration management database 
Version:
7.1.1.8
7.1.1.7
7.1.1.12
7.1
7.0
Product: maximo service desk 
Version: 7.1.1.8;
Product: Maximo service desk 
Version:
7.1.1.8
7.1.1.7
7.1.1.12
Product: Maximo asset management 
Version:
7.1.1.8
7.1.1.7
7.1.1.6
7.1.1.5
7.1.1.2
7.1.1.12
7.1.1.1
7.1.1
7.1
Product: Tivoli service request manager 
Version:
7.1.1.8
7.1.1.7
7.1.1.12
7.1.1
7.1.0
7.0
Product: Tivoli it asset management for it 
Version:
7.1.1.8
7.1.1.7
7.1.1.12

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://xforce.iss.net/xforce/xfdb/90500
http://www-01.ibm.com/support/docview.wss?uid=swg21670870
http://www-01.ibm.com/support/docview.wss?uid=swg1IV52829

Related CVE
CVE-2018-1996
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle ...
CVE-2019-4059
IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. An attacker could obtain the password and gain unauthorized access to the document database. IBM X-Force ID: 156583.
CVE-2018-1895
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials...
CVE-2018-1727
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory r...
CVE-2018-1701
IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970.
CVE-2017-1695
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.
CVE-2019-4008
API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626.
CVE-2018-1666
IBM DataPower Gateway 2018.4.1.0, 7.6.0.0 through 7.6.0.11, 7.5.2.0 through 7.5.2.18, 7.5.1.0 through 7.5.1.18, 7.5.0.0 through 7.5.0.19, and 7.7.0.0 through 7.7.1.3 could allow an authenticated user to inject arbitrary messages that would be display...

Copyright 2019, cxsecurity.com

 

Back to Top