Security Bulletin: Vulnerability in Apache CXF library shipped with IBM Global Mailbox (CVE-2020-13954)

Summary

Security vulnerability have been Identified In Apache CXF library shipped with IBM Global Mailbox.

Vulnerability Details

CVEID:CVE-2020-13954
**DESCRIPTION:**Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191650 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Apache CXF which is/are shipped with Global Mailbox.

Principal Product and Version(s)

|

Affected Supporting Product and Version

|

Affected Supporting Product Security Bulletin

—|—|—

Global Mailbox version 6.1.0.1

|

Apache CXF library version 3.4.1

| CVE-2020-13954

6.1.0.1 is now available on Fix Central

Here are the Fix Central links.

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=fixId&fixids=6.1.0.1-OtherSoftware-B2Bi-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=All&platform=All&function=fixId&fixids=6.1.0.1-OtherSoftware-SFG-All&includeSupersedes=0

Workarounds and Mitigations

None