Direct links to fixes
APAR status
Closed as program error.
Error description
DETAIL OF PROBLEM: The IBM Spectrum Control GUI is vulnerable by XSS attack on the notification settings page. It is possible that the page can be injected by malicious code. The code will not keep in the page, but will be activated by enter the HTML that the victim will get and that holds the vulnerabilities parameters. RECREATE STEPS: In the IBM Spectrum Control GUI - Settings - Alert Notifications (email) Fill out the user name with the malicious code: <img src=xonerror=alert()>
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Control 5.2.x and 5.3.x users * **************************************************************** * PROBLEM DESCRIPTION: * * The IBM Spectrum Control GUI is vulnerable by XSS attack on * * the * * email configuration settings on the notification settings * * page. * * * * It is possible that the page can be injected by malicious * * code. * * The code will not keep in the page, but will be activated by * * enter the HTML that the victim will get and that holds the * * vulnerabilities parameters. * **************************************************************** * RECOMMENDATION: * * Apply fix maintenance when available * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following releases: IBM Spectrum Control 5.2.17.3 | 5.2.17-TIV-TPC-FP0003 | May 2019 IBM Spectrum Control 5.3.2 | 5.3.2-IBM-SC | Feb 2019 http://www.ibm.com/support/docview.wss?&uid=swg21320822
Temporary fix
Comments
APAR Information
APAR number
IT27939
Reported component name
TPC ADVANCED
Reported component ID
5608TPCA0
Reported release
52B
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-31
Closed date
2019-05-06
Last modified date
2019-05-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
WAS
Fix information
Fixed component name
TPC ADVANCED
Fixed component ID
5608TPCA0
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNECY","label":"Tivoli Storage Productivity Center Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"52B"}]
Document Information
Modified date:
24 June 2022