Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB6667599294C079AF181F1C1204F6C5FBB9AF757093CF9015738A9E5891E652D
HistoryJun 17, 2018 - 12:16 p.m.

Security Bulletin: FileNet Workplace can be affected by the File Upload XSS vulnerability (CVE-2016-3054)

2018-06-1712:16:23
www.ibm.com
8

0.001 Low

EPSS

Percentile

25.7%

JSON

Summary

FileNet Workplace is susceptible to the File Upload XSS vulnerability

Vulnerability Details

Relevant CVE Information: CVEID: CVE-2016-3054**
DESCRIPTION:** IBM FileNet Workplace is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114753 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

FileNet Workplace 4.0.2

Remediation/Fixes

Refer to the Workarounds and Mitigations section.

Workarounds and Mitigations

There are 2 different implementations that can be used to address this vulnerability. You may chose to implement only one or to use both.

  1. Check and remove malicious content before it gets added in to the P8 repository.
  2. Check when malicious content is being viewed and not allow it to be executed.

The following are some suggestions on the various ways to prevent malicious files from being either uploaded and/or executed. These methods have not been implemented or tested by IBM. They are just examples. For detailed implementation plans, please consult IBM ECM Lab Services or an IBM ECM Business Partner.

To avoid malicious content being entered in to the P8 repository:
(1) Create a custom event action that’s triggered on an AddDocument event that checks either the file type being added or calls a file scanner to validate the contents before the content is added.
(2) Configure a file scanner to scan the storage volume where content is being saved and have it send an alert when it finds malicious content.

To prevent content that contains JavaScript code from being executed when it is viewed by AE:
(1) Force JavaScript files to be viewed as text. An AE response filter could be implemented to change the MIME Type from JavaScript to Text.
(2) Configure your browser to not execute JavaScript files.

CPENameOperatorVersion
filenet content managereq4.0.2

Related

nvd 1
prion 1
cvelist 1
cve 1
nvd
nvd
CVE-2016-3054
2016-08-08 01:59:13
prion
prion
Cross site scripting
2016-08-08 01:59:00
cvelist
cvelist
CVE-2016-3054
2016-08-08 01:00:00
cve
cve
CVE-2016-3054
2016-08-08 01:59:13

0.001 Low

EPSS

Percentile

25.7%

JSON
Related for B6667599294C079AF181F1C1204F6C5FBB9AF757093CF9015738A9E5891E652D
nvd1prion1cvelist1cve1