IBM Cloud Private is vulnerable to reflected cross-site scripting attacks.
CVEID: CVE-2019-4120 DESCRIPTION: IBM Cloud Private is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158146> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
IBM Cloud Private 2.1.x, 3.1.0, 3.1.1, 3.1.2
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
For IBM Cloud Private 3.1.2, apply patch:
For IBM Cloud Private 3.1.1, apply patch:
For IBM Cloud Private, 2.1.x, 3.1.0:
None