Medium Severity

IBM Security Bulletin: IBM Maximo Asset Management is affected by a cross-site scripting vulnerability. (CVE-2018-1554)

Share this post:

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE(s): CVE-2018-1554

Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *

Maximo Asset Management core product affected versions:

Maximo Asset Management 7.6

Industry Solutions products affected if using an affected core version:

Maximo for Aviation

Maximo for Government

Maximo for Life Sciences

Maximo for Nuclear Power

Maximo for Oil and Gas

Maximo for Transportation

Maximo for Utilities

IBM Control Desk products affected if using an affected core version:

SmartCloud Control Desk

IBM Control Desk

Tivoli Integration Composer

* To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10713695
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142891

More stories

Security Bulletin: Due to use of Hibernate Validator version 6.1.2.Final IBM Tivoli Network Manager is vulnerable which allows attackers to bypass input sanitation (escaping, stripping) controls(CVE-2020-10693, CVE-2019-10219).

July 4, 2022 | Medium Severity

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. ...read more


Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2022-44906)

July 4, 2022 | Medium Severity

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to the node.js minimist module ( CVE-2022-44906). A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes minimist 1.2.6 ...read more


Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to multiple openSSL vulnerabilities in Node.js (CVE-2022-1434, CVE-2022-1343, CVE-2022-1473)

July 4, 2022 | Medium Severity

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a man-in-the-middle attack, remote attacker bypassing security restrictions and denial of service due to openSSL vulnerabilities in Node.js (CVE-2022-1434, CVE-2022-1343, CVE-2022-1473). IBM App Connect provides a fix/fix pack including openSSL 1.1.1o. Mitigation steps to disable node.js have been recommended for IBM Integration Bus ...read more