Lucene search

IBM12D45E5F5E1EDDF497F1E24A38D543BCADE35FA0B4410A5D61975790C5F66674

HistoryOct 11, 2022 - 6:54 p.m.

Security Bulletin: A Security vulnerability found in Dojo Toolkit which is shipped with IBM Security Identity Management product (CVE-2018-15494)

2022-10-1118:54:36

www.ibm.com

dojo toolkit

ibm security

cross-site scripting

cve-2018-15494

datagrid

update

authentication

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.005 Low

EPSS

Percentile

77.0%

JSON

Summary

A cross-site scripting issues exists in Dojo Toolkit, which is an open source package used by the IBM Security Identity Manegement product. IBM Security Identity Manegement has updated the packages as required.

Vulnerability Details

CVEID:CVE-2018-15494
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
ISIM	6.0.0
ISIM	6.0.2

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Product	VRMF	Remediation

IBM Security Identity Manager

6.0.2

6.0.2-ISS-SIM-FP0005

IBM Security Identity Manager

6.0.0

6.0.0-ISS-SIM-FP0027

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_identity_managerMatch6.0.0

ibmsecurity_identity_managerMatch6.0.2

CPENameOperatorVersion
ibm security identity managereq6.0.0
ibm security identity managereq6.0.2

CPE	Name	Operator	Version
	ibm security identity manager	eq	6.0.0
	ibm security identity manager	eq	6.0.2

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.005 Low

EPSS

Percentile

77.0%

JSON

Related for 12D45E5F5E1EDDF497F1E24A38D543BCADE35FA0B4410A5D61975790C5F66674