Vulnerability CVE-2016-8952


Published: 2017-07-13   Modified: 2017-07-19

Description:
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118839.

Vendor: IBM
Product: Emptoris strategic supply management 
Version:
10.1.1.9
10.1.1.8
10.1.1.7
10.1.1.6
10.1.1.5
10.1.1.4
10.1.1.3
10.1.1.2
10.1.1.10
10.1.1.1
10.1.1.0
10.1.0.9
10.1.0.8
10.1.0.7
10.1.0.6
10.1.0.5
10.1.0.4
10.1.0.3
10.1.0.2
10.1.0.12
10.1.0.11
10.1.0.10
10.1.0.1
10.1.0.0
10.0.4.0
10.0.2.9
10.0.2.8
10.0.2.7
10.0.2.6
10.0.2.5
10.0.2.4
10.0.2.3
10.0.2.2
10.0.2.17
10.0.2.16
10.0.2.15
10.0.2.14
10.0.2.13
10.0.2.12
10.0.2.11
10.0.2.10
10.0.2.1
10.0.2.0
10.0.1.4
10.0.1.3
10.0.1.2
10.0.1.1
10.0.1.0
10.0.0.3
10.0.0.2
10.0.0.1
10.0.0.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.ibm.com/support/docview.wss?uid=swg22005839
http://www.securityfocus.com/bid/99589
https://exchange.xforce.ibmcloud.com/vulnerabilities/118839

Related CVE
CVE-2017-1554
IBM Infosphere BigInsights 4.2.0 and 4.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's clic...
CVE-2017-1552
IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to link injection. By persuading a victim to click on a specially-crafted URL link, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, ...
CVE-2017-1340
IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated user to obtain information on another server that the current report builder interacts with. IBM X-Force ID: 126455.
CVE-2017-1333
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow an unauthenticated user to obtain sensitive information about the server that could be used in future attacks against the system. IBM X-Force ID: 126241.
CVE-2017-1148
IBM OpenPages GRC Platform 7.2 and 7.3 with OpenPages Loss Event Entry (LEE) application could allow a user to obtain sensitive information including private APIs that could be used in further attacks against the system. IBM X-Force ID: 122201.
CVE-2016-3048
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosur...
CVE-2017-15535
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker...
CVE-2017-1232
IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 123911.

Copyright 2017, cxsecurity.com

 

Back to Top