Lucene search

IBM5961B4C5CEA6DE290B5B4ACED8F977F36565C48B548CD04A86F773697B0CC601

HistoryApr 10, 2024 - 10:49 a.m.

Security Bulletin: Jinja2-2.11.3-py2.py3-none-any.whl and Jinja2-3.1.2-py3-none-any.whl is vulnerable to CVE-2024-22195 used in IBM Maximo Application Suite - Edge Data Collector

2024-04-1010:49:58

www.ibm.com

ibm maximo

jinja2

cve-2024-22195

cross-site scripting

edge data collector

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.6%

JSON

Summary

IBM Maximo Application Suite - Edge Data Collector uses Jinja2-2.11.3-py2.py3-none-any.whl and Jinja2-3.1.2-py3-none-any.whl which is vulnerable to CVE-2024-22195

Vulnerability Details

CVEID:CVE-2024-22195
**DESCRIPTION:**Pallets Jinja is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the xmlattr filter. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Edge Data Collector	8.11.3 and before

Remediation/Fixes

Affected Product(s)	Version(s)
IBM Edge Data Collector	8.11.4 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm maximo application suiteeq8.11

CPE	Name	Operator	Version
	ibm maximo application suite	eq	8.11