Medium Severity

IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4303)

Share this post:

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE(s): CVE-2019-4303

Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *

Maximo Asset Management core product affected versions:
Maximo Asset Management 7.6

Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities

IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer

* To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10887563
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/160949

More stories

IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to File Path Traversal (CVE-2019-4430)

Jul 16, 2019 9:02 am EDT | Medium Severity

IBM Maximo Asset Management is vulnerable to File Path Traversal CVE(s): CVE-2019-4430 Affected product(s) and affected version(s): This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top ...read more


IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerability CVE-2019-12086

Jul 16, 2019 9:02 am EDT | Medium Severity

IBM Event Streams has addressed the following vulnerability CVE(s): CVE-2019-12086 Affected product(s) and affected version(s):IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 IBM Event Streams 2019.1.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10888069X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/161256 ...read more


IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Netcool Configuration Manager (CVE-2018-1890, CVE-2019-2426)

Jul 16, 2019 9:01 am EDT | Medium Severity

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Netcool Configuration Manager IP Edition v6.4.1 and v6.4.2, which were disclosed in the Oracle January 2019 Critical Patch Update. CVE(s): CVE-2018-1890, CVE-2019-2426 Affected product(s) and affected version(s): IBM Tivoli Network Manager IP Edition v6.4.1, v6.4.2 Refer to ...read more