IBM Maximo Application Suite - Manage Component update for Prism
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-53382 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Maximo Application Suite - Manage Component Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Code Injection
EUVDB-ID: #VU107489
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-53382
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.. A remote user can send a specially crafted request and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Maximo Application Suite - Manage Component: before 8.6.24
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7230929
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
