Security Bulletin: IBM TRIRIGA Application Platform Reflected Cross-Site Scripting (XSS) (CVE-2016-5980)

Summary

The IBM TRIRIGA Application is vulnerable to Reflected Cross-Site Scripting attacks.

Vulnerability Details

CVEID: CVE-2016-5980 DESCRIPTION: IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116465 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

The following IBM TRIRIGA Platform versions are affected.

· IBM TRIRIGA Application Platform 3.5.1.1 and earlier.
· IBM TRIRIGA Application Platform 3.4.2.4 and earlier.
· IBM TRIRIGA Application Platform 3.3.2.5 and earlier.

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM TRIRIGA Application Platform| 3.5.1.1| IV88400|

The fix is available in IBM TRIRIGA Application Platform 3.5.1.2 which is available for download on IBM Fix Central.

IBM TRIRIGA Application Platform| 3.4.2.4| IV88400|

The fix is available in IBM TRIRIGA Application Platform 3.4.2.5 which is available for download on IBM Fix Central.

IBM TRIRIGA Application Platform| 3.3.2.5| IV88400|

The application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the IBM Support Portal.

Workarounds and Mitigations

Until you apply the fixes, it may be possible to reduce the risk of a successful attack by restricting access to internal networks, and not allowing external/Internet access to the application.