Lucene search

IBMCFA33761228FCB9E9AD5959F670E150C7F3CB3E1779F17191DB6BB59BABF307C

HistorySep 02, 2024 - 8:14 a.m.

Security Bulletin: IBM Jazz Reporting Services is vulnerable to a to cross-site scripting (CVE-2020-4051)

2024-09-0208:14:42

www.ibm.com

ibm jazz reporting services

cross-site scripting

cve-2020-4051

dijit

editor's linkdialog plugin

web page

security context

cookie-based authentication

vulnerability

version 7.0.3

version 7.0.2

fixpack

ifix007

ifix030

csp

untrusted sources

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

JSON

Summary

Cross-site scripting has been identified in dojo library shipped with IBM Jazz Reporting Services (JRS). JRS has addressed the issues by releasing a fix

Vulnerability Details

CVEID:CVE-2020-4051
**DESCRIPTION:**Dijit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Editor’s LinkDialog plugin. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Jazz Reporting Service	7.0.3
IBM Jazz Reporting Service	7.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the fixpack specified below. Released a iFix version for Jazz Reporting Service 7.0.3 & &.0.2: To ensure users could protect themselves from this vulnerability. Implemented a robust CSP to restrict the execution of scripts from untrusted sources.

Product	Version	iFix	Remediation / First Fix
IBM Jazz Reporting Service	7.0.3	iFix007	7.0.3-IBM-ELM-iFix007
IBM Jazz Reporting Service	7.0.2	iFix030	7.0.2-IBM-ELM-iFix030

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_engineering_lifecycle_management_baseMatch7.0.3

ibmibm_engineering_lifecycle_management_baseMatch7.0.2

VendorProductVersionCPE
ibmibm_engineering_lifecycle_management_base7.0.3cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.3:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.2cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_engineering_lifecycle_management_base	7.0.3	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.3:::::::*
ibm	ibm_engineering_lifecycle_management_base	7.0.2	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:::::::*