Security Bulletin: IBM Maximo Asset Management - A security vulnerability has been identified in IBM WebSphere Application Server shipped with Maximo Asset and Service Management (CVE-2024-35153)

Summary

IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.

Vulnerability Details

CVEID:CVE-2024-35153
**DESCRIPTION:**IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 292640.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292640 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Maximo Asset Management core product versions affected:

Maximo Asset Management

Maximo Asset Management

|

7.6.1.2

7.6.1.3

|

IBM WebSphere Application Server 9.0
IBM WebSphere Application Server 8.5.5 Full Profile

• To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

<https://www.ibm.com/support/pages/node/7158662&gt;

Workarounds and Mitigations

None