Security Bulletin: Privilege Escalation and Cross Site Scripting vulnerabilities in IBM® InfoSphere® Master Data Management Collaborative Edition (CVE-2014-8896, CVE-2014-8897, CVE-2014-8898, CVE-2014-8899)

2018-06-1614:01:16

www.ibm.com

EPSS

0.001

Percentile

34.2%

JSON

Summary

Privilege Escalation vulnerability in IBM InfoSphere Master Data Management - Collaborative Edition could allow an escalation of privilege attack. Cross Site Scripting vulnerabilities in IBM InfoSphere Master Data Management - Collaborative Edition are caused by improper validation of user-supplied input. A remote attacker can use a specially crafted URL to run scripts in a victim’s web browser within the security context of the hosting website after the URL is clicked. An attacker can use this vulnerability to steal the victim’s cookie-based authentication credentials.

Vulnerability Details

CVEID: CVE-2014-8896 DESCRIPTION: IBM Master Data Management Collaboration Server could allow an authenticated user to modify the authentication credentials of the administrator, which would give the attacker administrator access.
CVSS Base Score: 8.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99049 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVEID: CVE-2014-8897 DESCRIPTION: IBM Master Data Management Collaboration Server is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99050 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2014-8898 DESCRIPTION: IBM Master Data Management Collaboration Server is vulnerable to reflective cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99051 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2014-8899 DESCRIPTION: IBM Master Data Management Collaboration Server is vulnerable to reflective cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

IBM InfoSphere Master Data Management - Collaborative Edition Versions 11.4, 11.3, 11.0, 10.1 and 10.0.
IBM InfoSphere Master Data Management Server for Product Information Management Versions 9.1 and 9.0.