Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to cross-site scripting (CVE-2014-6150)

Summary

IBM Tivoli Application Dependency Discovery Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input.

Vulnerability Details

CVE ID: CVE-2014-6150** **DESCRIPTION: A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96920&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

7.2.2.0 - 7.2.2.2

Remediation/Fixes

For each affected TADDM release (7.2.2), there are eFixes prepared on top of latest FixPack:

Fix

|

VRMF

|

APAR

|

How to acquire fix

—|—|—|—

efix_65589_FP220140731.zip

|

7.2.2.2

|

None

|

Download eFix

Details of the eFix are in etc/<efix_name>_readme.txt

Workarounds and Mitigations

If an eFix is required on any other TADDM version, please contact IBM Support. Open a PMR for a custom version of this eFix. Include your current eFix level, TADDM version and a link to this bulletin.
The eFixes are created to be installed on the above FixPacks without any previously applied eFixes. If there are other eFixes installed (ls -rlt etc/efix*) open a PMR for a custom version of this eFix.