Lucene search

IBM342F98A5AF66BA189D7593471E5769C4D2C0869738DA62FB388CA3CFCD06D38D

HistoryAug 01, 2024 - 1:02 p.m.

Security Bulletin: Vulnerability in dojo-dojo-release-1.12.1 affects Cloud Pak System [CVE-2018-6561]

2024-08-0113:02:54

www.ibm.com

dojo toolkit

cross-site scripting

vulnerability

cloud pak system

ibm

authentication credentials

security bulletin

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

Summary

Vulnerability in dojo-dojo-release-1.12.1 affects Cloud Pak System.

Vulnerability Details

CVEID:CVE-2018-6561
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting in dijit.Editor, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the ‘onload’ attribute of an SVG element to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported versions the recommendation is to upgrade to supported version of the product.

This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.

IBM strongly recommends addressing the vulnerability now by applying the fix below.

For Cloud Pak System V2.3.1.1, V2.3.2.0,
Upgrade to Cloud Pak System v2.3.3.7 and apply V2.3.3.7 Interim Fix 01 at IBM Fix Central.
information on upgrading here <https://www.ibm.com/support/pages/node/6982511>

For Cloud Pak System V2.3.3.7,
Apply Cloud Pak System V2.3.3.7 Interim Fix 01 at IBM Fix Central.

information on upgrading available at <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

For Cloud Pak System for Intel

Upgrade to Cloud Pak System v2.3.4.0 at Fix Central

Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_systemMatch2.3

VendorProductVersionCPE
ibmcloud_pak_system2.3cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_system	2.3	cpe:2.3:a:ibm:cloud_pak_system:2.3:::::::*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

Related for 342F98A5AF66BA189D7593471E5769C4D2C0869738DA62FB388CA3CFCD06D38D