IBM Support

IJ23871: HTML TAGS CAN BE INPUTTED INTO FIELDS WITHIN MAXIMO

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • PROBLEM:
Security Finding - HTML Injection

It was discovered that html tags could be input into fields
within Maximo. This causes unintended side affects we would
like to prevent if possible.


STEPS TO REPRODUCE:

Replicated on: 7.6.0.10-IFIX20200204-2127 & on
7.6.1.1-IFIX20200124-1352

Go to Administration> Sets
Click on NEw Row
In the Set Field , enter A<TEST>
Click on a different set then click on the new row that was
just created
Observe the input box next to the A in the Organizations Using
section , it now says Organizations Using A


CURRENT ERRONEOUS RESULT: The field is showing HTML Injections
which causes unintended side affects


EXPECTED RESULT:  Prevent the use of special Characters


REPORTED IN VERSION:

Maximo Asset Management 7.6.0.10 & 7.6.1.1

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* N/A                                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* HTML TAGS CAN BE INPUTTED INTO FIELDS WITHIN MAXIMO          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • Fixed in label.jsp and ControlInstance.java

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ23871
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    5724R46SC
    • 

  • Reported release
    760
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-03-26
    • 

  • Closed date
    2020-05-04
    • 

  • Last modified date
    2020-05-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    5724R46SC
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCHPNP","label":"Security Groups"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 May 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback