Vulnerability identifier: #VU13182
Vulnerability risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-59
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
IBM InfoSphere Information Server for Cloud
Server applications /
Other server solutions
IBM InfoSphere Information Server
Server applications /
Database software
IBM InfoSphere Information Analyzer
Server applications /
Database software
IBM InfoSphere Information Governance Catalog
Server applications /
Database software
IBM InfoSphere Data Click
Server applications /
Database software
IBM InfoSphere Metadata Asset Manager
Server applications /
Database software
IBM InfoSphere Data Quality Exception Console
Server applications /
Database software
IBM InfoSphere Data Quality Console
Server applications /
Database software
IBM InfoSphere Information Server Business Glossary
Server applications /
Database software
IBM InfoSphere Information Server Metadata Workbench
Server applications /
Database software
Vendor: IBM Corporation
Description
The vulnerability allows a remote attacker to execute a cross-frame scripting (XFS) attack.
The weakness exists due to insufficient protections for HTML inline frames (iframes). A remote attacker can trick the victim into visiting a specially crafted website, load valid content from the target system within an HTML iframe and attempt to conduct cross-site scripting, cross-site request forgery, clickjacking, or phishing attacks.
Mitigation
Install update from vendor's website.
Vulnerable software versions
IBM InfoSphere Information Server for Cloud: 11.5 - 11.7
IBM InfoSphere Information Server: 11.3 - 11.7
IBM InfoSphere Information Analyzer: 11.5 - 11.7
IBM InfoSphere Information Governance Catalog: 11.3 - 11.7
IBM InfoSphere Data Click: 11.3 - 11.7
IBM InfoSphere Metadata Asset Manager: 11.3 - 11.7
IBM InfoSphere Data Quality Exception Console: 11.5 - 11.7
IBM InfoSphere Data Quality Console: 11.3
IBM InfoSphere Information Server Business Glossary: 9.1
IBM InfoSphere Information Server Metadata Workbench: 9.1
External links
http://www-01.ibm.com/support/docview.wss?uid=swg22014911
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.