Lucene search

IBM48D750D80DDF95D001B9FF917844025735B5D8B78A7169BF2BAFC2E4FC4B2D38

HistorySep 01, 2023 - 1:10 p.m.

Security Bulletin: A security vulnerability have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2018-6561)

2023-09-0113:10:24

www.ibm.com

security vulnerability

dojo toolkit

cross-site scripting

ibm security guardium

gklm 4.2

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.0%

JSON

Summary

A security vulnerability have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2018-6561)

Vulnerability Details

CVEID:CVE-2018-6561
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting in dijit.Editor, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the ‘onload’ attribute of an SVG element to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Key Lifecycle Manager	3.0, 3.0.1, 4.0
IBM Security Guardium Key Lifecycle Manager	4.1, 4.1.1

Remediation/Fixes

This issue has been fixed in GKLM 4.2. IBM encourages customers to update their systems promptly.

Product(s)	Remediation / Fix
IBM Security Guardium Key Lifecycle Manager	GKLM 4.2

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_guardium_key_lifecycle_managerMatch3.0

ibmsecurity_guardium_key_lifecycle_managerMatch3.0.1

ibmsecurity_guardium_key_lifecycle_managerMatch4.0

ibmsecurity_guardium_key_lifecycle_managerMatch4.1

ibmsecurity_guardium_key_lifecycle_managerMatch4.1.1

ibmsecurity_key_lifecycle_managerMatch3.0

ibmsecurity_key_lifecycle_managerMatch3.0.1

ibmsecurity_key_lifecycle_managerMatch4.0

ibmsecurity_guardium_key_lifecycle_managerMatch4.1

ibmsecurity_guardium_key_lifecycle_managerMatch4.1.1

CPENameOperatorVersion
ibm security guardium key lifecycle managereq3.0
ibm security guardium key lifecycle managereq3.0.1
ibm security guardium key lifecycle managereq4.0
ibm security guardium key lifecycle managereq4.1
ibm security guardium key lifecycle managereq4.1.1
ibm security key lifecycle managereq3.0
ibm security key lifecycle managereq3.0.1
ibm security key lifecycle managereq4.0
ibm security guardium key lifecycle managereq4.1
ibm security guardium key lifecycle managereq4.1.1

Name	Operator	Version
ibm security guardium key lifecycle manager	eq	3.0
ibm security guardium key lifecycle manager	eq	3.0.1
ibm security guardium key lifecycle manager	eq	4.0
ibm security guardium key lifecycle manager	eq	4.1
ibm security guardium key lifecycle manager	eq	4.1.1
ibm security key lifecycle manager	eq	3.0
ibm security key lifecycle manager	eq	3.0.1
ibm security key lifecycle manager	eq	4.0
ibm security guardium key lifecycle manager	eq	4.1
ibm security guardium key lifecycle manager	eq	4.1.1