Security Bulletin: Vulnerability in Open Source Dojo ToolKit affects IBM Social Media Analytics (CVE- 2015-5654)

Summary

A Dojo ToolKit vulnerability affecting versions of Dojo prior to 1.2 was addressed by IBM Social Media Analytics. An upgrade to Dojo 1.8 was performed.

Vulnerability Details

CVEID: CVE-2015-5654**
DESCRIPTION:** Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Social Media Analytics 1.3

Remediation/Fixes

The recommended solution is to apply the following interim fix:

IBM Social Media Analytics 1.3.0 IF17

For users of IBM Social Media Analytics 1.2 IBM recommends upgrading to IBM Social Media Analytics 1.3.

Workarounds and Mitigations

None known. Apply fixes.