Security Bulletin: IBM Cloud Pak for Security is vulnerable to cross-site scripting (CVE-2020-4820)

2021-01-2617:28:41

www.ibm.com

0.001 Low

EPSS

Percentile

29.7%

JSON

Summary

IBM Cloud Pak for Security (CP4S) version 1.4.0.0 and earlier is vulnerable to cross-site scripting, potentially leading to a disclosure of credentials within a trusted session. The issue has been addressed in an update.

Vulnerability Details

CVEID:CVE-2020-4820
**DESCRIPTION:**IBM Cloud Pak for Security (CP4S) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189783 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Cloud Pak for Security (CP4S)	1.4.0.0

Remediation/Fixes

Upgrade to CP4S 1.5.0.0 or greater at <https://cloud.ibm.com/catalog/content/ibm-cp-security-b25bd169-0fbd-4cf3-a8ea-0067316158a4-global> or following <https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.5.0/platform/docs/security-pak/upgrading.html>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud pak for securityeq1.4.0.0
ibm cloud pak for securityeq1.5.0.0

CPE	Name	Operator	Version
	ibm cloud pak for security	eq	1.4.0.0
	ibm cloud pak for security	eq	1.5.0.0

0.001 Low

EPSS

Percentile

29.7%

JSON

Related for 0880297E072130B6811A844A58C5E9CC6E7130B86CF87278C39D4060AEFFDE4F