Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMEBDC723595567382AB0913D873E6B4723469E7851CEA431EE2246E060EB1CE6A
HistoryMay 03, 2024 - 3:22 p.m.

Security Bulletin: IBM Aspera Orchestrator affected by usage of vulnerable software (CVE-2020-27511, CVE-2022-31160, CVE-2021-41184, CVE-2021-41182, CVE-2021-41183, CVE-2018-20677, CVE-2018-20676, CVE-2018-14040, CVE-2016-10735, CVE-2019-8331)

2024-05-0315:22:12
www.ibm.com
7
ibm aspera orchestrator
vulnerable software
denial of service
cross-site scripting
jquery
bootstrap

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.4 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.2%

JSON

Summary

IBM Aspera Orchestrator has addressed multiple vulnerabilities related to the use of vulnerable software (jQuery and Bootstrap) that could allow denial of service and cross-site scripting attacks.

Vulnerability Details

CVEID:CVE-2020-27511
**DESCRIPTION:**Prototype is vulnerable to a denial of service, caused by a regular expression denial of service (ReDOS) flaw in the stripTags and unescapeHTML components. By using a specially-crafted HTML tags, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204290 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-31160
**DESCRIPTION:**jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the check-box-radio widget. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-41184
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212277 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-41182
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the altField parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-41183
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the Text parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212276 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-20677
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the affix configuration target property. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155337 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-20676
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155338 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-14040
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/146468 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2016-10735
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target attribute. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-8331
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Aspera Orchestrator 4.0.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the below fix as soon as possible:

Product Version Platform Link to Fix
IBM Aspera Orchestrator 4.0.1 PL2 Linux click here

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmaspera_streamingMatch4.0.0
OR
ibmaspera_streamingMatch4.0.1

Related

osv 21
openvas 19
debian 2
nessus 33
ibm 25
redhat 11
ubuntu 2
fedora 6
f5 4
checkpoint_advisories 1
rocky 1
oraclelinux 2
centos 1
almalinux 1
drupal 2
amazon 1
ics 1
debiancve 6
nvd 7
ubuntucve 6
cvelist 6
prion 6
cve 4
jvn 1
hackerone 2
github 8
redhatcve 4
gitlab 4
veracode 6
githubexploit 1
typo3 1
nodejs 1
alpinelinux 2
cbl_mariner 1
osv
osv
jqueryui - security update
2022-12-07 00:00:00
jqueryui vulnerabilities
2023-10-05 12:36:27
jqueryui vulnerability
2022-09-09 09:31:52
openvas
openvas
Debian: Security Advisory (DLA-3230-1)
2022-12-08 00:00:00
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-013ab302be)
2021-12-04 00:00:00
Ubuntu: Security Advisory (USN-6419-1)
2023-10-06 00:00:00
debian
debian
[SECURITY] [DLA 3230-1] jqueryui security update
2022-12-07 10:30:00
[SECURITY] [DLA-2889-1] drupal7 security update
2022-01-19 20:00:29
nessus
nessus
Debian DLA-3230-1 : jqueryui - LTS security update
2022-12-08 00:00:00
RHEL 7 : python-XStatic-Bootstrap-SCSS (RHSA-2020:5571)
2020-12-18 00:00:00
Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14)
2021-09-03 00:00:00
ibm
ibm
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 17:25:05
Security Bulletin: There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management
2023-04-04 16:40:26
Security Bulletin: Multiple vulnerabilities in jQuery affect IBM Tivoli Netcool Impact
2023-12-01 10:35:31
redhat
redhat
(RHSA-2020:5571) Moderate: python-XStatic-Bootstrap-SCSS security update
2020-12-16 12:54:58
(RHSA-2019:3023) Moderate: ovirt-engine-ui-extensions security and bug fix update
2019-10-10 14:49:36
(RHSA-2020:0133) Moderate: Red Hat Decision Manager 7.6.0 Security Update
2020-01-16 16:00:35
ubuntu
ubuntu
jQuery UI vulnerabilities
2023-10-05 00:00:00
jQuery UI vulnerability
2022-09-09 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33
2021-11-20 01:45:55
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34
2021-11-20 01:11:49
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35
2021-11-20 01:08:33
f5
f5
K50455702 : jQuery vulnerabilities CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
2022-03-28 00:00:00
K24383845 : Bootstrap vulnerability CVE-2019-8331
2019-04-10 00:00:00
K000134507 : jQuery UI vulnerability CVE-2022-31160
2023-05-08 00:00:00
checkpoint_advisories
checkpoint_advisories
jQuery UI Datepicker Widget Cross Site Scripting (CVE-2021-41182; CVE-2021-41183)
2022-03-14 00:00:00
rocky
rocky
idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
oraclelinux
oraclelinux
ipa security, bug fix, and enhancement update
2020-10-06 00:00:00
idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-10 00:00:00
centos
centos
ipa, python2 security update
2020-10-20 18:15:27
almalinux
almalinux
Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
drupal
drupal
jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004
2022-01-19 00:00:00
Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002
2022-01-19 00:00:00
amazon
amazon
Medium: ipa
2020-10-22 17:40:00
ics
ics
Mitsubishi Electric EcoWebServerIII
2022-02-24 12:00:00
debiancve
debiancve
CVE-2020-27511
2021-06-21 20:15:08
CVE-2018-20676
2019-01-09 05:29:01
CVE-2018-20677
2019-01-09 05:29:01
nvd
nvd
CVE-2020-27511
2021-06-21 20:15:08
CVE-2018-20676
2019-01-09 05:29:01
CVE-2018-20677
2019-01-09 05:29:01
ubuntucve
ubuntucve
CVE-2020-27511
2021-06-21 00:00:00
CVE-2018-20677
2019-01-09 00:00:00
CVE-2018-20676
2019-01-09 00:00:00
cvelist
cvelist
CVE-2020-27511
2021-06-21 19:22:37
CVE-2018-20677
2019-01-09 05:00:00
CVE-2018-20676
2019-01-09 05:00:00
prion
prion
Design/Logic Flaw
2021-06-21 20:15:00
Design/Logic Flaw
2019-01-09 05:29:00
Design/Logic Flaw
2019-01-09 05:29:00
cve
cve
CVE-2020-27511
2021-06-21 20:15:08
CVE-2018-20677
2019-01-09 05:29:01
CVE-2018-20676
2019-01-09 05:29:01
jvn
jvn
JVN#06527859: KinagaCMS vulnerable to cross-site scripting
2019-03-15 00:00:00
hackerone
hackerone
Sifchain: Vulnerable javascript dependency at Main domain
2021-05-07 20:48:11
Sifchain: Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation
2021-06-05 15:52:39
github
github
XSS vulnerability that affects bootstrap
2019-01-17 13:57:34
bootstrap Cross-site Scripting vulnerability
2019-01-17 13:57:56
Moderate severity vulnerability that affects bootstrap and bootstrap-sass
2019-02-22 20:54:27
redhatcve
redhatcve
CVE-2018-20677
2020-04-08 22:13:21
CVE-2018-20676
2020-04-04 17:27:53
CVE-2021-41182
2021-11-01 17:41:12
gitlab
gitlab
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2019-01-09 00:00:00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2019-01-09 00:00:00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2019-02-20 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2019-01-10 01:52:43
Cross-site Scripting (XSS)
2019-01-10 01:44:15
Cross-site Scripting (XSS)
2022-07-19 05:25:38
githubexploit
githubexploit
Exploit for Cross-site Scripting in Getbootstrap Bootstrap
2020-12-01 09:18:58
typo3
typo3
Cross-Site Scripting in Bootstrap CSS toolkit before 3.4.1 and 4.3.0
2019-05-07 00:00:00
nodejs
nodejs
Cross-Site Scripting
2019-05-22 18:03:13
alpinelinux
alpinelinux
CVE-2021-41182
2021-10-26 15:15:10
CVE-2021-41183
2021-10-26 15:15:10
cbl_mariner
cbl_mariner
CVE-2018-14040 affecting package boost 1.66.0-4
2024-06-26 03:08:26

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.4 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.2%

JSON
Related for EBDC723595567382AB0913D873E6B4723469E7851CEA431EE2246E060EB1CE6A
osv21openvas19debian2nessus33ibm25redhat11ubuntu2fedora6f54checkpoint_advisories1rocky1oraclelinux2centos1almalinux1drupal2amazon1ics1debiancve6nvd7ubuntucve6cvelist6prion6cve4jvn1hackerone2github8redhatcve4gitlab4veracode6githubexploit1typo31nodejs1alpinelinux2cbl_mariner1