Security Bulletin: IBM Content Navigator is potentially vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2015-1888)

Summary

IBM Content Navigator is potentially vulnerable to cross-site scripting, caused by improper validation of user-supplied input.

Vulnerability Details

CVEID: CVE-2015-1888
IBM Content Navigator is vulnerable to cross-site scripting. The vulnerability is caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101262 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

IBM Content Navigator 2.0.3

IBM Content Navigator is a component that is available to customers in these products (and the products that contain them):

• IBM Content Manager
• IBM FileNet Content Manager
• IBM Content Foundation
• IBM Content Manager OnDemand

Remediation/Fixes

Version 2.0.2 Apply fix pack 2.0.2-ICN-FP007, or higher

Version 2.0.3 Apply fix pack 2.0.3-ICN-FP003, or higher

Workarounds and Mitigations

None