Security Bulletin: Vulnerability in JSoup affects IBM Forms Experience Builder (CVE-2015-6748)

Summary

A JSoup vulnerablity which allows a remote attacker to exploit a specially-crafted URL to access user authentication credentials was addressed by IBM Forms Experience Builder.

Vulnerability Details

CVE-ID: CVE-2015-6748
Description: JSoup is vulnerable to cross-site scripting, caused by improper validation of user supplied input by the SafeHTML validator. A remote attacker could exploit this vulnerability using a specially crafted URL. Once the URL is clicked, a script is executed in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie based authentication credentials.
CVSS Base Score: 6.100
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/106163&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Forms Experience Builder 8.5
IBM Forms Experience Builder 8.5.1
IBM Forms Experience Builder 8.6

Remediation/Fixes

** Product**

| VRMF|** APAR**|** Remediation**
—|—|—|—
IBM Forms Experience Builder| 8.5.0.| LO87135| Download and Install 8.5.1.1
IBM Forms Experience Builder| 8.5.1.| LO87135
IBM Forms Experience Builder| 8.6.0.*| LO87135| Download and Install 8.6.2.1