Lucene search

IBMD46AF5137A629797384538E14FFEA0F2D48C71DBB19D1ED90D5213CAEDD3ECB2

HistoryMar 21, 2024 - 12:19 p.m.

Security Bulletin: IBM License Metric Tool is vulnerable to cross-script scripting due to use of jQuery Cookie.

2024-03-2112:19:46

www.ibm.com

ibm license metric tool

jquery

cross-site scripting

user input

vulnerability

remote attacker

web page

security context

authentication

credentials

cvss

upgrade

ilmt server

version 9.2.35

mitigation

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

30.0%

JSON

Summary

jQuery is used by IBM License Metric Tool to provide UI functionality and process user-supplied input.

Vulnerability Details

CVEID:CVE-2022-23395
**DESCRIPTION:**jQuery Cookie is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220985 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM License Metric Tool	9.2.0 - 9.2.34

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest ILMT Server version 9.2.35 or later using the following procedure:
<https://www.ibm.com/docs/en/license-metric-tool?topic=tool-upgrading-latest-version>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmlicense_metric_toolMatch9.2

VendorProductVersionCPE
ibmlicense_metric_tool9.2cpe:2.3:a:ibm:license_metric_tool:9.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	license_metric_tool	9.2	cpe:2.3:a:ibm:license_metric_tool:9.2:::::::*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

30.0%

JSON

Related for D46AF5137A629797384538E14FFEA0F2D48C71DBB19D1ED90D5213CAEDD3ECB2