IBM Support

IT24979: CROSS-SITE SCRIPTING ISSUE IN IBM STERLING B2B INTEGRATOR DASHBOARD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

Media_IM_5020603_6
Media_IM_5020603_6
iSeries_Media_5020603_6.zip
iSeries_Media_5020603_6

 

APAR status

  • Closed as program error.

Error description

  • In the IBM Sterling B2B Integrator dashboard, when you check in
a map with a name including XSS payload
like <script>alert(1)</script>, results in an CROSS SITE
SCRIPTING <XSS> security vulnerability.


1. Login as operator on the dashboard (/dashboard/portal/)
2. Navigate to the Deployment tab via the menu on the left.
3. Click on 'Maps'.
5. Click on 'Go!' under the 'Check-in' section.
4. Upload a file with a valid .map extension. Add 'Test' in to
the Check-in comments.
6. Turn intercept on in Burp.
7. Click 'Save'.
8. Append <script>alert(1)</script> to the filename and the
'Check-in' comments in the request. Forward it.
9. Click next till you reach the last step.

Local fix

  • RTC - 567560

Problem summary

  • Users Affected:
All

Problem Description:
Reflected Cross-site Scripting (XSS) issue dashboard map
creation.

Platforms Affected:
All

Problem conclusion

  • Resolution Summary:
A code fix is provided.

Delivered In:
5020603_6

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT24979
    • 

  • Reported component name
    STR B2B INTEGRA
    • 

  • Reported component ID
    5725D0600
    • 

  • Reported release
    526
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-05-15
    • 

  • Closed date
    2018-07-09
    • 

  • Last modified date
    2018-07-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR B2B INTEGRA
    • 

  • Fixed component ID
    5725D0600
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 July 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback