Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC154944314CBD05A310B55194927F06053F47FBFE975A7A5C3C34FC547CC8907
HistoryJan 13, 2023 - 11:06 p.m.

Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2021-20374)

2023-01-1323:06:35
www.ibm.com
24
ibm maximo asset management
stored cross-site scripting
vulnerability
update
fix pack
interim fix

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.6%

JSON

Summary

IBM Maximo Asset Management is vulnerable to stored cross-site scripting.

Vulnerability Details

CVEID:CVE-2021-20374
**DESCRIPTION:**IBM Maximo Asset Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

Maximo Asset Management core product versions affected:

Affected Product(s) Version(s)
IBM Maximo Asset Management 7.6.1

Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities

IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer

  • To determine the core product version, log in and view System Information. The core product version is the β€œTivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the β€˜readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6.1:

VRM Fix Pack, Feature Pack, or Interim Fix Download
7.6.1.3 Maximo Asset Management 7.6.1.3 Feature Pack 7.6.1.3-TIV-MAMMT-FP003 or latest Interim Fix available FixCentral
7.6.1.2 Maximo Asset Management 7.6.1.2 iFix 7.6.1.2-TIV-MBS-IF008 or latest Interim Fix available FixCentral
7.6.1.1

Maximo Asset Management 7.6.1.1 iFix 7.6.1.1-TIV-MBS-IF014 or latest Interim Fix available

|

FixCentral

Workarounds and Mitigations

Use the following steps to ensure that the vulnerability is addressed:
1. Go to System Properties application, search webclient.richtext.truncate
2. Ensure the value is set to 1. This is the secure setting.
3. If needed, save and perform a Live Refresh.

Note that rich text will be limited to 1M bytes

Affected configurations

Vulners
Node
ibmmaximo_asset_managementMatch7.6.1
OR
ibmmaximo_linear_asset_managerMatch7.6.0.3
OR
ibmmaximo_linear_asset_managerMatch7.6.0.2
OR
ibmmaximo_linear_asset_managerMatch7.6.0.
OR
ibmcontrol_deskMatch7.6.1
OR
ibmmaximo_for_transportationMatch7.6.2.5
OR
ibmmaximo_for_transportationMatch7.6.2.4
OR
ibmmaximo_for_transportationMatch7.6.2.3
OR
ibmmaximo_for_nuclear_powerMatch7.6.1
OR
ibmmaximo_for_service_providersMatch7.6.3.3
OR
ibmmaximo_for_service_providersMatch7.6.3.2
OR
ibmmaximo_for_service_providersMatch7.6.3.1
OR
ibmmaximo_calibrationMatch7.6
OR
ibmmaximo_asset_configuration_managerMatch7.6.7.1
OR
ibmmaximo_asset_configuration_managerMatch7.6.7
OR
ibmmaximo_asset_configuration_managerMatch7.6.6
OR
ibmmaximo_asset_management_schedulerMatch7.6.7.3
OR
ibmmaximo_asset_management_schedulerMatch7.6.7.1
OR
ibmmaximo_asset_management_schedulerMatch7.6.7
OR
ibmmaximo_for_aviationMatch7.6.8
OR
ibmmaximo_for_aviationMatch7.6.7
OR
ibmmaximo_for_aviationMatch7.6.6
OR
ibmmaximo_for_oil_and_gasMatch7.6.1
OR
ibmmaximo_for_utilitiesMatch7.6.0.2
OR
ibmmaximo_for_utilitiesMatch7.6.0.1
OR
ibmmaximo_spatial_asset_managementMatch7.6.0.5
OR
ibmmaximo_spatial_asset_managementMatch7.6.0.4
OR
ibmmaximo_spatial_asset_managementMatch7.6.0.3
OR
ibmmaximo_spatial_asset_managementMatch7.6.0.2
OR
ibmmaximo_for_life_sciencesMatch7.6

Related

nvd 1
cve 1
prion 1
cvelist 1
nvd
nvd
CVE-2021-20374
2021-05-19 20:15:07
cve
cve
CVE-2021-20374
2021-05-19 20:15:07
prion
prion
Cross site scripting
2021-05-19 20:15:00
cvelist
cvelist
CVE-2021-20374
2021-05-18 00:00:00

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.6%

JSON
Related for C154944314CBD05A310B55194927F06053F47FBFE975A7A5C3C34FC547CC8907
nvd1cve1prion1cvelist1