6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
A security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.
CVEID:CVE-2019-11358
CVSS Base Score: 6.1
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
DataQuant for z/OS 2.1
Steps to update jQuery – DataQuant
https://code.jquery.com/jquery-3.4.1.min.js
2. Open WebSphere server Administrative console and stop the DataQuant application, if it is running
3. Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till “plugins” directory
Example plugins directory path:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\QMFWebSphere122_war.ear\QMFWebSphere122.war\WEB-INF\eclipse\plugins
4. Select the folder which name starts with “com.ibm.bi.reporter_” and copy it to a temp directory
5. Within the temp backup directory in step # 4 above, navigate to “reporter-config/html5/scripts” directory
6. Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1
7. Go to reporter-config/html5 directory
8. Update “index.html”, “index_android.html” and “index_ios.html” files using text editor and to point to new jQuery file as below:
<script type=“text/javascript” src=“{1}/html5/scripts/jquery-1.11.3.min.js”></script>
To be updated with:
<script type=“text/javascript” src=“{1}/html5/scripts/jquery-3.4.1.min.js”></script>
9. Copy the updated folder into the plugins directory path as per step # 3 & step #4
10. Start the DataQuant application in WebSphere Administrative console
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm dataquant for z/os | eq | 2.1 |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N