Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM2F4BAE09DDC968B54378720622CC42A34228109494DD0EADFC1A7F899DBA0F6A
HistoryMar 27, 2023 - 5:00 p.m.

Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183

2023-03-2717:00:47
www.ibm.com
15

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

72.9%

JSON

Summary

There are vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 which affects IBM Engineering Workflow Management (EWM).

Vulnerability Details

CVEID:CVE-2021-41182
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the altField parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2022-31160
**DESCRIPTION:**jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the check-box-radio widget. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-41184
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212277 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-41183
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the Text parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212276 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
EWM 7.0.2
EWM 7.0.1

Remediation/Fixes

Upgrade to version 7.0.2 iFix020 or later

IBM Engineering Lifecycle Management 7.0.2 iFix020

IBM Engineering Workflow Management 7.0.2 iFix020

Upgrade to version 7.0.1 iFix020 or later

IBM Engineering Lifecycle Management 7.0.1 iFix020

IBM Engineering Workflow Management 7.0.1 iFix020

Workarounds and Mitigations

None

Related

nessus 34
debian 3
osv 16
openvas 22
ibm 36
fedora 9
f5 2
ubuntu 2
drupal 3
checkpoint_advisories 2
redhat 1
veracode 4
redhatcve 4
ubuntucve 4
prion 4
alpinelinux 2
debiancve 4
github 4
huntr 1
cve 4
adobe 1
oracle 9
tenable 1
nessus
nessus
Debian DLA-3230-1 : jqueryui - LTS security update
2022-12-08 00:00:00
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : jQuery UI vulnerabilities (USN-6419-1)
2023-10-05 00:00:00
JQuery UI < 1.13.0 Multiple XSS
2021-12-31 00:00:00
debian
debian
[SECURITY] [DLA 3230-1] jqueryui security update
2022-12-07 10:30:00
[SECURITY] [DLA-2889-1] drupal7 security update
2022-01-19 20:00:29
[SECURITY] [DLA 3551-1] otrs2 security update
2023-08-31 00:20:25
osv
osv
jqueryui - security update
2022-12-07 00:00:00
jqueryui vulnerabilities
2023-10-05 12:36:27
jqueryui vulnerability
2022-09-09 09:31:52
openvas
openvas
Debian: Security Advisory (DLA-3230-1)
2022-12-08 00:00:00
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-013ab302be)
2021-12-04 00:00:00
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-ab38307fc3)
2021-12-04 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in jQuery affect IBM Tivoli Netcool Impact
2023-12-01 10:35:31
Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184)
2022-03-03 17:06:48
Security Bulletin: Multiple vulnerabilities identified in jQuery-UI affects IBM Engineering Lifecycle Optimization - Publishing
2023-10-04 08:27:50
fedora
fedora
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34
2021-11-20 01:11:49
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35
2021-11-20 01:08:33
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33
2021-11-20 01:45:55
f5
f5
K50455702 : jQuery vulnerabilities CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
2022-03-28 00:00:00
K000134507 : jQuery UI vulnerability CVE-2022-31160
2023-05-08 00:00:00
ubuntu
ubuntu
jQuery UI vulnerabilities
2023-10-05 00:00:00
jQuery UI vulnerability
2022-09-09 00:00:00
drupal
drupal
jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004
2022-01-19 00:00:00
Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002
2022-01-19 00:00:00
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001
2022-01-19 00:00:00
checkpoint_advisories
checkpoint_advisories
jQuery UI Datepicker Widget Cross Site Scripting (CVE-2021-41182; CVE-2021-41183)
2022-03-14 00:00:00
jQuery UI Cross-site Scripting (CVE-2021-41184)
2022-10-19 00:00:00
redhat
redhat
(RHSA-2022:4711) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
2022-05-26 16:04:07
veracode
veracode
Cross-site Scripting (XSS)
2022-07-19 05:25:38
Cross-site Scripting (XSS)
2021-10-27 06:12:09
Cross-site Scripting (XSS)
2021-10-27 17:26:37
redhatcve
redhatcve
CVE-2021-41184
2021-11-01 17:41:18
CVE-2022-31160
2022-07-25 18:12:42
CVE-2021-41183
2021-11-01 17:41:12
ubuntucve
ubuntucve
CVE-2021-41184
2021-10-26 00:00:00
CVE-2022-31160
2022-07-20 00:00:00
CVE-2021-41182
2021-10-26 00:00:00
prion
prion
Cross site scripting
2022-07-20 20:15:00
Code injection
2021-10-26 15:15:00
Code injection
2021-10-26 15:15:00
alpinelinux
alpinelinux
CVE-2021-41182
2021-10-26 15:15:00
CVE-2021-41183
2021-10-26 15:15:00
debiancve
debiancve
CVE-2021-41182
2021-10-26 15:15:00
CVE-2022-31160
2022-07-20 20:15:00
CVE-2021-41183
2021-10-26 15:15:00
github
github
XSS in the `altField` option of the Datepicker widget in jquery-ui
2021-10-26 14:55:02
jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
2022-07-18 17:07:36
XSS in `*Text` options of the Datepicker widget in jquery-ui
2021-10-26 14:55:21
huntr
huntr
Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160
2023-02-20 08:50:55
cve
cve
CVE-2022-31160
2022-07-20 20:15:00
CVE-2021-41182
2021-10-26 15:15:00
CVE-2021-41183
2021-10-26 15:15:00
adobe
adobe
APSB23-50 : Security update available for Adobe Commerce
2023-10-10 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2024
2024-01-16 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
tenable
tenable
[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities
2023-06-29 10:45:47

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

72.9%

JSON
Related for 2F4BAE09DDC968B54378720622CC42A34228109494DD0EADFC1A7F899DBA0F6A
nessus34debian3osv16openvas22ibm36fedora9f52ubuntu2drupal3checkpoint_advisories2redhat1veracode4redhatcve4ubuntucve4prion4alpinelinux2debiancve4github4huntr1cve4adobe1oracle9tenable1