Jan 5, 2020 8:03 pm EST
Categorized: High Severity
Share this post:
This Security Bulletin addresses vulnerabilities that have been addressed in IBM Cognos Analytics 11.1.4 and 11.0.13 FP2.
A vulnerability has been addressed where a parameter in a Cognos URL can be modified such that Cognos HTTP messages are forwarded to a hostile server. (CVE-2018-1721)
A vulnerability has been addressed where the The X-Powered-By attribute is being returned in the HTTP response header in IBM Cognos Analytics. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the web server. (CVE-2019-4334)
A vulnerability has been addressed in IBM Cognos Analytics 11.1.4 where the product could be vulnerable to a cross-sire scripting (XSS) attack in the Assistant Search tab via .xlsx file upload. (CVE-2019-4645). This vulnerability was not applicable in IBM Cognos Analytics 11.0.x.
Affected Products and Versions
IBM Cognos Analytics 11.1
IBM Cognos Analytics 11.0