IBM Support

RS03052: ENTERPRISE CONSOLE VULNERABILITY OTG-INPVAL-001

Fixes are available

Operational Decision Manager V8.9.2.1 Fix Pack
Operational Decision Manager V8.9.2.0: Interim Fix 2
Operational Decision Manager V8.8.1.3: Interim Fix 85
Operational Decision Manager V8.8.1.3: Interim Fix 87
Operational Decision Manager V8.9.1.0: Interim Fix 27
Operational Decision Manager V8.8.1.3: Interim Fix 88
Operational Decision Manager V8.8.1.3: Interim Fix 89
Operational Decision Manager V8.8.1.3: Interim Fix 90
Operational Decision Manager V8.8.1.4 Fix Pack
Operational Decision Manager V8.8.1.3: Interim Fix 92
Operational Decision Manager V8.8.1.3: Interim Fix 93
Operational Decision Manager V8.8.1.3: Interim Fix 94
Operational Decision Manager V8.8.1.3: Interim Fix 95
Operational Decision Manager V8.8.1.3: Interim Fix 97
Operational Decision Manager V8.8.1.3: Interim Fix 98
Operational Decision Manager V8.8.1.3: Interim Fix 101
Operational Decision Manager V8.8.1.4: Interim Fix 8
Operational Decision Manager V8.9.2.0: Interim Fix 3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Enterprise console is affected by the following vulnerability:
OWASP category: OTG-INPVAL-001 - Testing for Reflected Cross
Site Scripting

https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site
_scripting_(OTG-INPVAL-001)

Some parameters in some forms are vulnerable to XSS exploit.

Vulnerable forms and parameters:
TAB Explore - Check Action Rule - Edit
TAB Compose - Action Rule - OK
TAB Analyze - Generate Project Report - Generate Report
TAB Query - Generate Report on Query Results

Local fix

  • 



Problem summary


    

  • There was a vulnerability in the enterprise console.

    



Problem conclusion


    

  • The code was fixed.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    RS03052
    • 

  • Reported component name
    WS DECISION CTR
    • 

  • Reported component ID
    5725B6900
    • 

  • Reported release
    881
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-03-06
    • 

  • Closed date
    2018-03-07
    • 

  • Last modified date
    2018-03-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • 999

    



Fix information


    

  • Fixed component name
    WS DECISION CTR
    • 

  • Fixed component ID
    5725B6900
    • 



Applicable component levels


    

  • R881  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"881","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback