There are cross-site scripting vulnerabilities in the Dojo Toolkit that is used by IBM Worklight and IBM MobileFirst Platform Foundation.
CVEID: CVE-2014-8917
DESCRIPTION: IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victimโs Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victimโs cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99303> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Download the latest interim fix for your product and version containing APARs PI32264 and PI31648:
V5.0.5: IBM Worklight Consumer Edition, IBM Worklight Enterprise Edition, IBM Mobile Foundation Consumer Edition, IBM Mobile Foundation Enterprise Edition
V5.0.6: IBM Worklight Consumer Edition, IBM Worklight Enterprise Edition, IBM Mobile Foundation Consumer Edition, IBM Mobile Foundation Enterprise Edition
V6.0.0: IBM Worklight Consumer Edition, IBM Worklight Enterprise Edition, IBM Mobile Foundation Consumer Edition, IBM Mobile Foundation Enterprise Edition
V6.1.0: IBM Worklight Consumer Edition, IBM Worklight Enterprise Edition
V6.2.0: IBM Worklight Foundation Consumer Edition, IBM Worklight Foundation Enterprise Edition
V6.3.0: IBM MobileFirst Platform Foundation
None