Security Bulletin: Vulnerability in Dojo Toolkit affects IBM MQ Light (CVE-2015-5654)

Summary

Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. IBM MQ Light has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2015-5654**
DESCRIPTION:** Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM MQ Light V1.0 on all platforms.

The version of IBM MQ Light can be determined by running “mqlight-config --version”. A V1.0 installation will return text containing:`

` Name: IBM MQ Light  
Version: 1.0  
`

## Remediation/Fixes

Upgrade to the latest version of IBM MQ Light. 

  
The following link describes how to re-use the data from a V1.0 installation using an upgraded installation:_  
_[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm_](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>)

## Workarounds and Mitigations

None.

##