IBM541C3C892FE5AB78340E2CEBDFF9B0F2A619CCB485B564BEE1056C29B00F20EESecurity Bulletin: Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2013-5449)
0.002 Low
EPSS
Percentile
55.2%
Summary
Some scripts in the help system used by IBM DB2 Information Center are vulnerable to cross-site scripting attacks.
This security bulletin only applies to the locally installed DB2 Information Center and not the core DB2 product. If you do not have an information center installed on a local or intranet system, then this security bulletin is not applicable.
Vulnerability Details
**DESCRIPTION:**The DB2 Information Center is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
The following locally installed IBM DB2 Information Center editions running on Linux, and Windows are affected by this security bulletin:
IBM® DB2® 9.7 Information Center Network package
IBM® DB2® 9.7 Information Center Workstation package
• Network version (installable) of the DB2 Information Center
This is the same DB2 Information Center that is distributed with DB2 database products. It comes with an installer and other programs that let you install the Information Center on your computer. The install program requires that you have administrative authority on your computer to complete the installation.
• The Workstation version (stand-alone) of the DB2 Information Center
This package allows you to run the DB2 Information Center on your computer if you do not have administrator or root authority. The Workstation version of the DB2 Information Center runs in “stand-alone” mode. There are no services or daemons associated with this type of DB2 Information Center, therefore you must start and stop it manually. It also differs from the regular DB2 Information Center because it determines the locale from the computer’s system locale, not from the browser.
Remediation/Fixes
The fix for this vulnerability is available for download for DB2 Information Center release V9.7
The package for the Workstation version includes the latest version of all the content for that release and a fully patched version of the information center. The package for the Network version of the information center only includes the patch for the base information center code. An updated install package for the Network version of the information centers will be available in the future.
| Information Center Package | URL |
|---|---|
| Network version (installable) | http://download.boulder.ibm.com/ibmdl/pub/software/data/db2/luw/info/icpatches |
| Workstation version (stand-alone) | http://www.ibm.com/support/docview.wss?rs=71&uid=swg27009474 |
Workarounds and Mitigations
Workarounds****: If applying the fix if not possible or feasible, then uninstall the locally installed information center and use the information center(s) available at http://www.ibm.com/software/data/db2/linux-unix-windows/library.html#Information%20centers.
Mitigations: None known
| CPE | Name | Operator | Version |
|---|---|---|---|
| db2 for linux, unix and windows | eq | 9.7 |
Related
0.002 Low
EPSS
Percentile
55.2%