Medium Severity

IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2018-1872)

Share this post:

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE(s): CVE-2018-1872

Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *

Maximo Asset Management core product affected versions:
Maximo Asset Management 7.6

Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities

IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer

* To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10737461
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151330

More stories

IBM Security Bulletin: PowerVC is affected by an Openstack Keystone vulnerability that could allow a remote authenticated attacker to discover restricted projects (CVE-2018-14432)

Jan 18, 2019 9:00 am EST | Medium Severity

PowerVC has addressed the following vulnerability. An authenticated “GET /v3/OS-FEDERATION/projects” request to the identity API may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. CVE(s): CVE-2018-14432 Affected product(s) and affected version(s): Affected Product Affected Versions ...read more


IBM Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient security vulnerability

Jan 17, 2019 9:00 am EST | Medium Severity

Security vulnerability may affect Apache HttpClient used by IBM FileNet Content Manager. CVE(s): CVE-2012-5783 Affected product(s) and affected version(s): IBM Content Manager 5.2.1, 5.5.0, 5.5.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10731533X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/79984 ...read more


IBM Security Bulletin: WAS traditional and liberty vulnerable to CVE-2014-7810

Jan 16, 2019 9:00 am EST | Medium Severity

IBM Worklight has addressed the following vulnerability. WAS traditional and liberty vulnerable to CVE-2014-7810 CVE(s): CVE-2014-7810 Affected product(s) and affected version(s): IBM MobileFirst Platform Foundation 8.0.0.0 – ICP, IKS or using the scripts (BYOL) IBM MobileFirst Platform Foundation 7.1.0.0 – using the scripts (BYOL) Refer to the following reference URLs for remediation and additional vulnerability ...read more