This bulletin addresses a cross-site scripting security vulnerability with IBM Cognos Business Intelligence.
CVEID: CVE-2016-0217**
DESCRIPTION:** IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
The recommended solution is to apply the fix listed below as soon as is practical.
10.2.2: <http://www-01.ibm.com/support/docview.wss?uid=swg24042360>
10.2.1.1: <http://www-01.ibm.com/support/docview.wss?uid=swg24042360>
10.2.1: <http://www-01.ibm.com/support/docview.wss?uid=swg24042360>
None known. Apply fixes.
CPE | Name | Operator | Version |
---|---|---|---|
cognos business intelligence | eq | 10.2.2 | |
cognos business intelligence | eq | 10.2.1 |