IBM Patches Reflected XSS in Worklight, MobileFirst

2017-08-02T15:11:33

Description

IBM fixed a cross-site scripting vulnerability in two products last month that could have let an attacker execute malicious JavaScript code in a victim’s browser to steal sensitive information, or user credentials. The vulnerability (CVE-2017-1500) lingered in the products, Worklight and MobileFirst, for almost a year. Gabriele Gristina, a security consultant for the Italian information security firm Emaze Networks, first found the bug last summer, on August 29, 2016. > [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) [#advisory](<https://twitter.com/hashtag/advisory?src=hash&ref_src=twsrc%5Etfw>) is on the way 📝 CVE-2017-1500 [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/xGWFyFbF4R> > > — Matrix (@gm4tr1x) [August 1, 2017](<https://twitter.com/gm4tr1x/status/892498196538298369?ref_src=twsrc%5Etfw>) Gristina found the vulnerability, technically a reflected XSS in the products’ OAuth Server’s Web API, while performing a penetration test on a mobile app. The app he was pentesting didn’t have any bugs, but he was surprised when he encountered a vulnerability in the framework itself. “Generally I always find many security issues in every ‘target,'” Gristina told Threatpost, “When I tested this mobile application I found minor issues and I did not believe it so I started to fuzz the IBM security framework and after a little while I found the XSS vulnerability.” The app was written using MobileFirst, a mobile application development platform formerly known as Worklight, made by IBM. The product lets developers build apps, see how they look on different devices, and manage how push notifications from the apps are sent to devices. The problem, Gristina says, is that the framework didn’t properly validate the untrusted input in a GET parameter present in an authorization function exposed by the RESTful web API. “In detail the logout functionality return a HTTP 403 Forbidden if the value of the ‘scope’ parameter is not defined in the ‘authenticationConfig.xml’ and reflect it without a proper validation in the response body,” Gristina wrote in a disclosure – accompanied by a proof-of-concept – [on Wednesday](<http://seclists.org/fulldisclosure/2017/Aug/1>). The researcher adds that exploiting the vulnerability would be relatively easy, an attacker would just have to append a payload to the original value present in the GET parameter “scope.” IBM confirmed the vulnerability in an entry on its [X-Force Exchange service](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129404>) on Monday and said it would require a low level of complexity and privileges to exploit. The vulnerability received a modest CVSS 3.0 base score of 5.4 but could let a user embed arbitrary code in the Web UI, something that would alter the intended functionality and in turn, lead to credential disclosure in a trusted session, IBM warned. The company pushed patches to remedy the flaw in two affected products, Worklight Enterprise Edition and MobileFirst Platform Foundation, two weeks ago, according to Gristina. It’s unclear why it took IBM so long to patch the vulnerability. Gristina told Threatpost Wednesday he’s been wondering the same thing. “Probably a business choice? Certainly I do not think it is a technical problem, since the solution is very simple,” Gristina said. Until updated, versions 6.1 and 6.2 of Worklight and 6.3, 7.0, 7.1, and 8.0 of MobileFirst are vulnerable. Users can download the fixes, [bringing the platform to versions](<https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316>) 6.1.0.2, 6.2.0.1, 6.3.0.0, 7.0.0.0, 7.1.0.0, 8.0.0.0, via IBM’s FixCentral portal.

{"id": "THREATPOST:0A918348F5A7B195B50BADF836E35855", "type": "threatpost", "bulletinFamily": "info", "title": "IBM Patches Reflected XSS in Worklight, MobileFirst", "description": "IBM fixed a cross-site scripting vulnerability in two products last month that could have let an attacker execute malicious JavaScript code in a victim\u2019s browser to steal sensitive information, or user credentials.\n\nThe vulnerability (CVE-2017-1500) lingered in the products, Worklight and MobileFirst, for almost a year. Gabriele Gristina, a security consultant for the Italian information security firm Emaze Networks, first found the bug last summer, on August 29, 2016.\n\n> [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) [#advisory](<https://twitter.com/hashtag/advisory?src=hash&ref_src=twsrc%5Etfw>) is on the way \ud83d\udcdd CVE-2017-1500 [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/xGWFyFbF4R>\n> \n> \u2014 Matrix (@gm4tr1x) [August 1, 2017](<https://twitter.com/gm4tr1x/status/892498196538298369?ref_src=twsrc%5Etfw>)\n\nGristina found the vulnerability, technically a reflected XSS in the products\u2019 OAuth Server\u2019s Web API, while performing a penetration test on a mobile app. The app he was pentesting didn\u2019t have any bugs, but he was surprised when he encountered a vulnerability in the framework itself.\n\n\u201cGenerally I always find many security issues in every \u2018target,'\u201d Gristina told Threatpost, \u201cWhen I tested this mobile application I found minor issues and I did not believe it so I started to fuzz the IBM security framework and after a little while I found the XSS vulnerability.\u201d\n\nThe app was written using MobileFirst, a mobile application development platform formerly known as Worklight, made by IBM. The product lets developers build apps, see how they look on different devices, and manage how push notifications from the apps are sent to devices.\n\nThe problem, Gristina says, is that the framework didn\u2019t properly validate the untrusted input in a GET parameter present in an authorization function exposed by the RESTful web API.\n\n\u201cIn detail the logout functionality return a HTTP 403 Forbidden if the value of the \u2018scope\u2019 parameter is not defined in the \u2018authenticationConfig.xml\u2019 and reflect it without a proper validation in the response body,\u201d Gristina wrote in a disclosure \u2013 accompanied by a proof-of-concept \u2013 [on Wednesday](<http://seclists.org/fulldisclosure/2017/Aug/1>).\n\nThe researcher adds that exploiting the vulnerability would be relatively easy, an attacker would just have to append a payload to the original value present in the GET parameter \u201cscope.\u201d\n\nIBM confirmed the vulnerability in an entry on its [X-Force Exchange service](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129404>) on Monday and said it would require a low level of complexity and privileges to exploit. The vulnerability received a modest CVSS 3.0 base score of 5.4 but could let a user embed arbitrary code in the Web UI, something that would alter the intended functionality and in turn, lead to credential disclosure in a trusted session, IBM warned.\n\nThe company pushed patches to remedy the flaw in two affected products, Worklight Enterprise Edition and MobileFirst Platform Foundation, two weeks ago, according to Gristina.\n\nIt\u2019s unclear why it took IBM so long to patch the vulnerability. Gristina told Threatpost Wednesday he\u2019s been wondering the same thing.\n\n\u201cProbably a business choice? Certainly I do not think it is a technical problem, since the solution is very simple,\u201d Gristina said.\n\nUntil updated, versions 6.1 and 6.2 of Worklight and 6.3, 7.0, 7.1, and 8.0 of MobileFirst are vulnerable. Users can download the fixes, [bringing the platform to versions](<https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316>) 6.1.0.2, 6.2.0.1, 6.3.0.0, 7.0.0.0, 7.1.0.0, 8.0.0.0, via IBM\u2019s FixCentral portal.\n", "published": "2017-08-02T15:11:33", "modified": "2017-08-02T19:11:33", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://threatpost.com/ibm-patches-reflected-xss-in-worklight-mobilefirst/127162/", "reporter": "Chris Brook", "references": ["https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/advisory?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw", "https://t.co/xGWFyFbF4R", "https://twitter.com/gm4tr1x/status/892498196538298369?ref_src=twsrc%5Etfw", "http://seclists.org/fulldisclosure/2017/Aug/1", "https://exchange.xforce.ibmcloud.com/vulnerabilities/129404", "https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316"], "cvelist": ["CVE-2017-1500"], "lastseen": "2018-10-06T22:53:20", "viewCount": 2, "enchantments": {"score": {"value": 5.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1500"]}, {"type": "ibm", "idList": ["E8E5D9BFB03B4317735EE9EEC4D696E74CD806689158C5D10C352D0BBD4DBAC2"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143635"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-1500"]}, {"type": "ibm", "idList": ["E8E5D9BFB03B4317735EE9EEC4D696E74CD806689158C5D10C352D0BBD4DBAC2"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143635"]}]}, "exploitation": null, "vulnersScore": 5.7}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T13:57:46", "description": "A Reflected Cross Site Scripting (XSS) vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parameter is \"scope\"; if you set as its value a \"realm\" not defined in authenticationConfig.xml, you get an HTTP 403 Forbidden response and the value will be reflected in the body of the HTTP response. By setting it to arbitrary JavaScript code it is possible to modify the flow of the authorization function, potentially leading to credential disclosure within a trusted session.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-08-01T18:29:00", "type": "cve", "title": "CVE-2017-1500", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1500"], "modified": "2017-08-04T14:34:00", "cpe": ["cpe:/a:ibm:mobilefirst_platform_foundation:7.1.0.0", "cpe:/a:ibm:worklight:6.2.0.1", "cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0", "cpe:/a:ibm:mobilefirst_platform_foundation:6.3.0.0", "cpe:/a:ibm:mobilefirst_platform_foundation:7.0.0.0", "cpe:/a:ibm:worklight:6.1.0.2"], "id": "CVE-2017-1500", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1500", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ibm:worklight:6.2.0.1:*:*:*:enterprise:*:*:*", "cpe:2.3:a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:mobilefirst_platform_foundation:7.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:mobilefirst_platform_foundation:6.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:mobilefirst_platform_foundation:7.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:worklight:6.1.0.2:*:*:*:enterprise:*:*:*"]}], "packetstorm": [{"lastseen": "2017-08-04T06:47:28", "description": "", "cvss3": {}, "published": "2017-08-03T00:00:00", "type": "packetstorm", "title": "IBM Worklight / MobileFirst Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-1500"], "modified": "2017-08-03T00:00:00", "id": "PACKETSTORM:143635", "href": "https://packetstormsecurity.com/files/143635/IBM-Worklight-MobileFirst-Cross-Site-Scripting.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \na3/4 Reflected Cross-Site Scripting in IBM Worklight OAuth Server Web Api a1/2 \n \n======== a3/4 Table of Contents a1/2 ========================================= \n \n0. Overview \n1. Detailed Description \n2. Proof Of Concept \n3. Solution \n4. Disclosure Timeline \n5. Thanks & Acknowledgements \n6. References \n7. Credits \n8. Legal Notices \n \n======== a3/4 0. Overview a1/2 =============================================== \n \nRelease Date: \n \n02 August 2017 \n \nRevision: \n \n1.0 \n \nImpact: \n \nCross-Site Scripting (XSS) is a code injection attack that allows \nan attacker to execute malicious JavaScript code in a victim's \nbrowser, leading to steal sensitive information's and/or user \ncredentials. \n \nSeverity: \n \nMedium \n \nCVSS Score: \n \n5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \nCVE-ID: \n \nCVE-2017-1500 \n \nVendor: \n \nIBM \n \nAffected Products: \n \nIBM Worklight Enterprise Edition \nIBM MobileFirst Platform Foundation \n \nAffected Versions: \n \n6.1, 6.2, 6.3, 7.0, 7.1, 8.0 \n \nProduct Description: \n \nWorklight/MobileFirst is IBM's premier mobile application platform. \nOn the device client app side, WorkLight/MobileFirst provide a \nframework to wrap around HTML5 web pages and make them into native \napplications. \n \nThis approach is popularized by PhoneGap, and is widely used by \ndevelopers (such as the GMail team at Google) to create cross \nplatform mobile applications. \n \nWith this approach, most of the user interface is presented in HTML5 \nweb pages, and the native framework provides access to device native \nfunctionalities (e.g., camera and GPS) in the form of JavaScript \nfunctions that can be called within the HTML5 web pages. \n \nOn the server side, WorkLight/MobileFirst provides device management \ncapabilities including a dashboard to view versions of the \napplication installed on different devices. \nIt can also manage sending PUSH notification to the devices. \n \nWorkLight/MobileFirst provides developer tools to create \napplications using their frameworks. \n \n======== a3/4 1. Detailed Description a1/2 =================================== \n \nDuring a Penetration Test to a mobile application it was found a \nReflected Cross-Site Scripting (XSS) vulnerability. \n \nThe mobile application was written by using an IBM security framework, \ncalled WorkLight (or better known MobileFirst). \n \nThis vulnerability happens because the framework does not properly \nvalidate the untrusted input in a GET parameter, present in an \nauthorization function exposed by RESTful Web Api. \n \nIn detail the logout functionality return a HTTP 403 Forbidden \nif the value of the \"scope\" parameter is not defined in the \n\"authenticationConfig.xml\" and reflect it without a proper \nvalidation in the response body. \n \nTo exploit the vulnerability simply append the payload to the \noriginal value present in the GET parameter \"scope\". \n \n======== a3/4 2. Proof Of Concept a1/2 ======================================= \n \nHTTP Request \n \n[[ \nGET /authorization/v1/authorization?client_id=[CLIENT_ID] \n&scope=-WSAuthRealm%22%3E%3Cscript%3Ealert(1)%3C/script%3E \n&isAjaxRequest=true&x=0.768018694 \nHost: [UNDISCLOSED] \nUser-Agent: [USER_AGENT] \nAccept: text/html \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: JSESSIONID=[SESSION_ID] \nConnection: close \n]] \n \nHTTP Response \n \n[[ \nHTTP/1.1 403 Forbidden \nContent-Type: text/html \nConnection: Close \nDate: Mon, 29 Aug 2016 16:13:37 GMT \nStrict-Transport- Security: max-age=157680000 \nX-Expires- Orig: None \nCache-Control: max-age=0, must-revalidate, private \nContent-Length: 109 \n \nLogout failed: The realm 'WSAuthRealm\"><script>alert(1)</script>' \nis not defined in authenticationConfig.xml. \n]] \n \n======== a3/4 3. Solution a1/2 =============================================== \n \nRefer to IBM Security Bulletin C1000316 for patch, upgrade or \nsuggested workaround information. \n \nSee \"References\" for more details. \n \n======== a3/4 4. Disclosure Timeline a1/2 ==================================== \n \n29/08/2016 : Discovery of the vulnerability \n07/09/2016 : Vulnerability submitted to vendor \n09/01/2017 : Request status update to the vendor, fix in progress \n27/04/2017 : Request status update to the vendor, fix in progress \n01/06/2017 : Request status update to the vendor, fix in progress \n11/07/2017 : Request status update to the vendor, fix in progress \n21/07/2017 : Vendor release the advisory and solution \n21/07/2017 : Request CVE-ID assignment \n27/07/2017 : Vendor update the advisory with CVE-ID \n01/08/2017 : Public disclosure \n \n======== a3/4 5. Thanks & Acknowledgements a1/2 ============================== \n \nIBM PSIRT - Product Security Incident Response Team \nEmaze Networks S.p.A. - Assessment Team \n \n======== a3/4 6. References a1/2 ============================================= \n \n(1) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1500 \n(2) https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316 \n(3) https://exchange.xforce.ibmcloud.com/vulnerabilities/129404 \n(4) http://cwe.mitre.org/data/definitions/79.html \n(5) https://www.ibm.com/blogs/psirt/ \n(6) https://www.emaze.net/security-assessment/ \n \n======== a3/4 7. Credits a1/2 ================================================ \n \nThis vulnerability was discovered and reported by: \n \nGabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com) \n \nContacts: \n \nhttps://www.linkedin.com/in/gabrielegristina \nhttps://twitter.com/gm4tr1x \nhttps://github.com/matrix/ \n \n======== a3/4 8. Legal Notices a1/2 ========================================== \n \nCopyright (c) 2017 Gabriele 'matrix' Gristina \n \nPermission is granted for the redistribution of this alert \nelectronically. It may not be edited in any way without mine express \nwritten consent. If you wish to reprint the whole or any \npart of this alert in any other medium other than electronically, \nplease email me for permission. \n \nDisclaimer: The information in the advisory is believed to be accurate \nat the time of publishing based on currently available information. \nUse of the information constitutes acceptance for use in an AS IS \ncondition. \nThere are no warranties with regard to this information. Neither the \nauthor nor the publisher accepts any liability for any direct, \nindirect, or consequential loss or damage arising from use of, \nor reliance on,this information. \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJZgZIbAAoJEI8SLzp6plg3i2IQAL81C0hxf6j8RMQ2fp6GMItZ \nGhnbRucij4O0sxbhUk1Yitmd2GFPotmZYCWmhPPPUYITuQP9RNX+hIVzwEL0jsQ0 \nQrnovRFpZOjdkqAnC7j8+frpitDP3RE4IdcuwBuEiKPGzSY8FPwxgFYLBdAmliT3 \nWbRWukIDqvMHmHIp9peqb/RNFLdnH6+YNWz+d7UDcdC5I1iLdiQkmSSmB/Us/hep \ner1oOtKlLZcmEYZ9GtadjAqqQRs47zBy5HNzMWiTXbUVKPMVp1WObqJu1bjHe8bl \nYPamcDBk67uDa2CYaE/26amVXYYuOTyH0dm6nYbLmVsz/eyWXjP9bLlqL3NPq3QJ \ntDuUWcA/XumZF5yiGNeinhkzN55+2cW5de80eZ43BV7vugLaHo+m24gU02eYhQos \n8hSX90R5he9a2QsTuzt8brTaclc4rfBOdPD1RYfGgadkqQIYH7c7Qbc6eypWz9S0 \nCgUWODJX6dKvhKy3iAuYcdQLYJECWGwQJGN4SyULoKTK021zgaXMSlQzC/gx+gP8 \nEKIXQH7mkBLS+rvGNJfZ4dmZzQjAETUuQrMphPNd1sCcEoo83/kTJPx9J1Rpwa6F \nR8+t+KjWL1SdIlb6m4c+Bfhwu/zcEJW/U7LI+UPmDHey7MiGBlYObp0W8N+P0aa7 \nhKSN1qjfcTZCvp7X/xtV \n=Eubs \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/143635/ibmworklight-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2021-12-30T21:44:57", "description": "## Summary\n\nA Reflected Cross Site Scripting (XSS) vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework. The vulnerable parameter is \"scope\", if you set as value a \"realm\"; not defined in authenticationConfig.xml you get an HTTP 403 Forbidden response and the value will be reflected in the body of the HTTP response.\n\n## Vulnerability Details\n\n**CVEID**: CVE-2017-1500 \n**DESCRIPTION: **IBM Worklight is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/129404_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129404>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n \nIBM MobileFirst Platform Foundation 8.0.0.0 \nIBM MobileFirst Platform Foundation 7.1.0.0 \nIBM MobileFirst Platform Foundation 7.0.0.0 \nIBM MobileFirst Platform Foundation 6.3.0.0 \nIBM Worklight Enterprise Edition 6.2.0.1 \nIBM Worklight Enterprise Edition 6.1.0.2\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM MobileFirst Platform Foundation| 8.0.0.0| **_PI71750_** | Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=8.0.0.0&platform=All&function=all&source=fc>) \nIBM MobileFirst Platform Foundation| 7.1.0.0| Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=7.1.0.0&platform=All&function=all&source=fc>) \nIBM MobileFirst Platform Foundation| 7.0.0.0| Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+MobileFirst+Platform+Foundation&fixids=7.0.0.0-MFPF-IF201707051305&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM MobileFirst Platform Foundation| 6.3.0.0| Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+MobileFirst+Platform+Foundation&fixids=6.3.0.0-MFPF-IF201707030743&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM Worklight Enterprise Edition| 6.2.0.1| \n| Download the latest iFix for [_IBM Worklight Enterprise Edition on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Worklight+Enterprise+Edition&fixids=6.2.0.1-WEE-IF201707170752&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM Worklight Enterprise Edition| 6.1.0.2| \n| Download the latest iFix for [_IBM Worklight Enterprise Edition on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Worklight+Enterprise+Edition&fixids=6.1.0.2-WEE-IF201707170753&source=SAR&function=fixId&parent=ibm/Other%20software>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nThe vulnerability was reported to IBM by Gabriele Gristina at Emaze Networks S.p.A. \n\n## Change History\n\n21/07/2017 - Publish \n27/07/2017 - CVEID update\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSVNUQ\",\"label\":\"IBM MobileFirst Platform Foundation\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"\",\"label\":\"Apple iOS\"},{\"code\":\"PF005\",\"label\":\"BlackBerry OS\"},{\"code\":\"\",\"label\":\"Google Android\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.3;7.0;7.1;6.1;6.2;8.0\",\"Edition\":\"Enterprise\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-06-17T22:33:20", "type": "ibm", "title": "Security Bulletin: Reflected XSS in IBM Worklight OAuth Server Web Api", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1500"], "modified": "2018-06-17T22:33:20", "id": "E8E5D9BFB03B4317735EE9EEC4D696E74CD806689158C5D10C352D0BBD4DBAC2", "href": "https://www.ibm.com/support/pages/node/619409", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}