Medium Severity

IBM Security Bulletin: IBM Maximo Asset Management is affected by a cross-site scripting vulnerability. (CVE-2018-1554)

Share this post:

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE(s): CVE-2018-1554

Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *

Maximo Asset Management core product affected versions:

Maximo Asset Management 7.6

Industry Solutions products affected if using an affected core version:

Maximo for Aviation

Maximo for Government

Maximo for Life Sciences

Maximo for Nuclear Power

Maximo for Oil and Gas

Maximo for Transportation

Maximo for Utilities

IBM Control Desk products affected if using an affected core version:

SmartCloud Control Desk

IBM Control Desk

Tivoli Integration Composer

* To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10713695
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142891

More stories

IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2018 – Includes Oracle Oct.2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows

Aug 22, 2019 9:00 am EDT | Medium Severity

There is vulnerability in IBM® Runtime Environment Java™ Version Java 1.8.0 SR5 FP16 and earlier used by DB2 Recovery Expert for Linux, Unix and Windows. These issues were disclosed as part of the IBM Java SDK updates in Oct. 2018. CVE(s): CVE-2018-3180 Affected product(s) and affected version(s): DB2 Recovery Expert for LUW 5.1 DB2 Recovery ...read more


IBM Security Bulletin: Multiple vulnerabilities in Open Source Libreswan affect IBM Netezza Host Management

Aug 21, 2019 9:01 am EDT | Medium Severity

Open Source Libreswan is used by IBM Netezza Host Management. IBM Netezza Host Management has addressed the applicable CVEs. CVE(s): CVE-2019-12312, CVE-2019-10155 Affected product(s) and affected version(s): IBM Netezza Host Management 5.4.7.0 – 5.4.24.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10961690X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/161562X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/162652 ...read more


IBM Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server

Aug 21, 2019 9:01 am EDT | Medium Severity

Multiple vulnerabilities in Spring Framework were addressed by IBM InfoSphere Information Server. CVE(s): CVE-2015-5211, CVE-2015-3192 Affected product(s) and affected version(s):The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server : versions 11.7 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10887121X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/130673X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/115554 ...read more