Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to a dynamically constructed href attribute

2021-07-3005:04:58

www.ibm.com

ibm cloud pak

applications

vulnerability

cross-site scripting

attack

dynamically constructed href

web ui

credentials disclosure

trusted session

EPSS

0.001

Percentile

19.6%

JSON

Summary

A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to a dynamically constructed href attribute

Vulnerability Details

CVEID:CVE-2021-20361
**DESCRIPTION:**IBM Cloud Pak for Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195032 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud Pak for Applications	All

Remediation/Fixes

IBM Cloud Pak for Applications 4.3.1 is updated to not allow users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. No separate APAR is provided.

Workarounds and Mitigations

None

EPSS

0.001

Percentile

19.6%

JSON

Related for DFB658004158F6507CF91B141342AE33954840D4B651E91A0B6C0DF6D5AEFA5A