Security Bulletin: IBM Content Navigator affected by reflected cross-site scripting issue <CVE-2014-8911>

Summary

Reflected cross-site scripting issue using the “Accept-Language” header parameter affects IBM Content Navigator.

Vulnerability Details

CVEID: CVE-2014-8911**
DESCRIPTION:** IBM Content Navigator is vulnerable to reflected cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99252 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Content Navigator 2.0.3, 2.0.2, 2.0.1, and 2.0.0

IBM Content Navigator is a component that is available to customers in these products (and the products that contain them):

• IBM Content Manager
• IBM FileNet Content Manager
• IBM Content Foundation
• IBM Content Manager OnDemand

Remediation/Fixes

Version 2.0.3 Apply fix pack 2.0.3.2-ICN-FP002, or higher
Version 2.0.2 Apply fix pack 2.0.2.7-ICN-FP007, or higher
Version 2.0.1 Apply fix pack 2.0.1.2-ICN-FP002 and iFix 2.0.1.2-ICN-IF003
Version 2.0.0 Upgrade to Version 2.0.3 and Apply fix pack 2.0.3.2-ICN-FP002, or higher

Workarounds and Mitigations

N/A