Lucene search

K
ibmIBM48D750D80DDF95D001B9FF917844025735B5D8B78A7169BF2BAFC2E4FC4B2D38
HistorySep 01, 2023 - 1:10 p.m.

Security Bulletin: A security vulnerability have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2018-6561)

2023-09-0113:10:24
www.ibm.com
19
security vulnerability
dojo toolkit
cross-site scripting
ibm security guardium
gklm 4.2

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.0%

Summary

A security vulnerability have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2018-6561)

Vulnerability Details

CVEID:CVE-2018-6561
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting in dijit.Editor, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the ‘onload’ attribute of an SVG element to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Key Lifecycle Manager 3.0, 3.0.1, 4.0
IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1

Remediation/Fixes

This issue has been fixed in GKLM 4.2. IBM encourages customers to update their systems promptly.

Product(s) Remediation / Fix
IBM Security Guardium Key Lifecycle Manager GKLM 4.2

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_guardium_key_lifecycle_managerMatch3.0
OR
ibmsecurity_guardium_key_lifecycle_managerMatch3.0.1
OR
ibmsecurity_guardium_key_lifecycle_managerMatch4.0
OR
ibmsecurity_guardium_key_lifecycle_managerMatch4.1
OR
ibmsecurity_guardium_key_lifecycle_managerMatch4.1.1
OR
ibmsecurity_key_lifecycle_managerMatch3.0
OR
ibmsecurity_key_lifecycle_managerMatch3.0.1
OR
ibmsecurity_key_lifecycle_managerMatch4.0
OR
ibmsecurity_guardium_key_lifecycle_managerMatch4.1
OR
ibmsecurity_guardium_key_lifecycle_managerMatch4.1.1

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.0%

Related for 48D750D80DDF95D001B9FF917844025735B5D8B78A7169BF2BAFC2E4FC4B2D38