IBM244E4C314C4561126146808464992A4BE48FCC02C31D7B2B13116F998B52704DSecurity Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags
0.001 Low
EPSS
Percentile
19.6%
Summary
A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags
Vulnerability Details
CVEID:CVE-2021-20365
**DESCRIPTION:**IBM Cloud Pak for Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195036 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak for Applications | All |
Remediation/Fixes
IBM Cloud Pak for Applications 4.3.1 is updated to not allow users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. No separate APAR is provided.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for applications | eq | any |
Related
0.001 Low
EPSS
Percentile
19.6%