IBMB30CD2FE30EA810B00FCC096F2D2253933E930C51DB1FEC9CCDF169C59E6C956Security Bulletin: IBM Cloud Private is Vulnerable to Reflected Cross-Site Scripting attacks (CVE-2019-4120)
0.001 Low
EPSS
Percentile
19.6%
Summary
IBM Cloud Private is vulnerable to reflected cross-site scripting attacks.
Vulnerability Details
CVEID: CVE-2019-4120 DESCRIPTION: IBM Cloud Private is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158146> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
IBM Cloud Private 2.1.x, 3.1.0, 3.1.1, 3.1.2
Remediation/Fixes
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
- IBM Cloud Private 3.1.2
- IBM Cloud Private 3.1.1
For IBM Cloud Private 3.1.2, apply patch:
For IBM Cloud Private 3.1.1, apply patch:
For IBM Cloud Private, 2.1.x, 3.1.0:
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.
- If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud private | eq | any |
Related
0.001 Low
EPSS
Percentile
19.6%