Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool.

Summary

BigFix Platform is shipped with IBM License Metric Tool. Information about a security vulnerability affecting BigFix Platform has been published in a security bulletin.

Vulnerability Details

CVEID:CVE-2019-11358
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2012-5883
**DESCRIPTION:**Bugzilla is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure in YUI script. A remote attacker could exploit this vulnerability using attack vectors related to swfstore.swf to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80116 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-5882
**DESCRIPTION:**The YUI library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using attack vectors related to uploader.swf to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80117 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-5881
**DESCRIPTION:**The YUI library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using attack vectors related to charts.swf to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80118 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2010-4710
**DESCRIPTION:**YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the addItem method in the Menu widget. A remote attacker could exploit this vulnerability using a field that is added to a menu to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/65180 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2010-4207
**DESCRIPTION:**YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the charts.swf, uploader.swf and swfstore.swf scripts. A remote attacker could exploit this vulnerability using an unspecified parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/62769 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2010-4208
**DESCRIPTION:**YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using unknown attack vectors related to uploader.swf to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/63085 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2015-6908
**DESCRIPTION:**OpenLDAP is vulnerable to a denial of service, caused by an assertion error in the ber_get_next() function. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the slapd service to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106296 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Refer to the following security bulletin for vulnerability details and information about fixes addressed by BigFix Platform:

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080774

Workarounds and Mitigations

None