Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM12389B125B8EA224F0AFE02F42609D024AA2ED38F652930C17331BAB5FE126D9
HistoryDec 08, 2020 - 9:03 p.m.

Security Bulletin: IBM InfoSphere Information Server is affected by an unescaped string injection in Dojo Toolkit

2020-12-0821:03:43
www.ibm.com
7

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.9%

JSON

Summary

An unescaped string injection vulnerability in Dojo Toolkit that is used by IBM InfoSphere Information Server was addressed.

Vulnerability Details

CVEID: CVE-2018-15494 DESCRIPTION: Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base Score: 6.1
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556&gt;_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server : versions 11.3, 11.5, 11.7
IBM InfoSphere Information Server on Cloud : versions 11.5, 11.7

Remediation/Fixes

Product

| VRMF | APAR | Remediation/First Fix
β€”|β€”|β€”|β€”
InfoSphere Information Server, Information Server on Cloud | 11.7 | JR61706 | --Apply InfoSphere Information Server version 11.7.1.0
--Apply InfoSphere Information Server 11.7.1.0 Fix Pack 1
--For InfoSphere DataStage
11.7.1.0 11.7.1.1 & 11.7.1.2: Apply InfoSphere DataStage Security patch
InfoSphere Information Server, Information Server on Cloud | 11.5 | JR61706 | --Apply InfoSphere Information Server version 11.5.0.2
--Apply InfoSphere Information Server 11.5.0.2 Service Pack 6
--Apply InfoSphere Information Server Framework Security patch --Apply InfoSphere Metadata Asset Manager Security patch--Apply InfoSphere DataStage Security patch

InfoSphere Information Server | 11.3 | JR61706 | --Upgrade to a new release where the issue has been addressed

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical Support.

Workarounds and Mitigations

None

Related

ibm 30
openvas 1
cvelist 1
redhatcve 1
ubuntucve 1
osv 3
zdt 1
nessus 1
github 1
packetstorm 1
veracode 1
cve 1
debiancve 1
debian 1
prion 1
nvd 1
ibm
ibm
Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494)
2019-10-28 16:30:15
Security Bulletin: IBM Content Navigator is affected by a vulnerability in Dojo Toolkit (CVE-2018-15494)
2019-01-04 23:10:01
Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494)
2019-09-12 13:42:25
openvas
openvas
Debian: Security Advisory (DLA-1492-1)
2018-09-03 00:00:00
cvelist
cvelist
CVE-2018-15494
2018-08-18 02:00:00
redhatcve
redhatcve
CVE-2018-15494
2018-08-23 05:54:01
ubuntucve
ubuntucve
CVE-2018-15494
2018-08-18 00:00:00
osv
osv
dojox vulnerable to unescaped string injection
2018-10-15 22:03:48
dojo - security update
2018-09-03 00:00:00
CVE-2018-15494
2018-08-18 02:29:01
zdt
zdt
Dojo Toolkit 1.13 Cross Site Scripting Vulnerability
2018-08-28 00:00:00
nessus
nessus
Debian DLA-1492-1 : dojo security update
2018-09-04 00:00:00
github
github
dojox vulnerable to unescaped string injection
2018-10-15 22:03:48
packetstorm
packetstorm
Dojo Toolkit 1.13 Cross Site Scripting
2018-08-27 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2018-08-20 07:17:16
cve
cve
CVE-2018-15494
2018-08-18 02:29:01
debiancve
debiancve
CVE-2018-15494
2018-08-18 02:29:01
debian
debian
[SECURITY] [DLA 1492-1] dojo security update
2018-09-03 08:06:30
prion
prion
Sql injection
2018-08-18 02:29:00
nvd
nvd
CVE-2018-15494
2018-08-18 02:29:01

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.9%

JSON
Related for 12389B125B8EA224F0AFE02F42609D024AA2ED38F652930C17331BAB5FE126D9
ibm30openvas1cvelist1redhatcve1ubuntucve1osv3zdt1nessus1github1packetstorm1veracode1cve1debiancve1debian1prion1nvd1