Main Vulnerability Database Vulnerabilities #VU85

Cross-site scripting in IBM Cognos Business Intelligence Server - CVE-2016-0221

Published: July 4, 2016 / Updated: July 12, 2020

Vulnerability identifier: #VU85

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-0221

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
IBM Cognos Business Intelligence Server

Detailed vulnerability description

The vulnerability allows a remote attacker to conduct cross-site scripting attacks.

The vulnerability exists due to improper validation of user-supplied input. A remote unauthenticated attacker can steal the victim's cookie-based authentication credentials by creating specially-crafted URL to execute script in a victim's web browser.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2016-0221

Apply the fix for versions 10.1.1 and 10.2.x at:

10.1.1: http://www-01.ibm.com/support/docview.wss?uid=swg24042359
10.2.x: http://www-01.ibm.com/support/docview.wss?uid=swg24042360

Sources

http://www-01.ibm.com/support/docview.wss?uid=swg21984323

Cross-site scripting in IBM Cognos Business Intelligence Server - CVE-2016-0221

Detailed vulnerability description

How to mitigate CVE-2016-0221

Sources

Please verify you're human