IBM Support

IBM Security Access Manager for Enterprise Single Sign On Cross Site Scripting Vulnerability (CVE-2013-6745)

Created by Jim Wade on
Published URL:
https://www.ibm.com/support/pages/node/507035
507035

Security Bulletin


Summary

A dynamic web form is vulnerable to a cross-site scripting (XSS) attack.

Vulnerability Details

CVE ID:
CVE-2013-6745

DESCRIPTION:
A dynamic web form is vulnerable to a cross-site scripting (XSS) attack.

An XSS attack involves three parties: An attacker, a victim, and a vulnerable web site or web application. The attack hinges on the fact that the vulnerable website has a script that returns user input in an HTML page without first sanitizing that input. This allows the attacker to input JavaScript code, which is executed by the victim's browser. As a result, it is possible to form links to the vulnerable site where one of the parameters consists of malicious JavaScript code. The JavaScript code will be executed by the victim's browser in the vulnerable web site's context, granting the attacker access to the victim's cookies for the vulnerable web site.

The attack does require network access, requires authentication and some degree of specialized knowledge and techniques are required. An attack can compromise the integrity of information but not the confidentiality or availability.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89861 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

IBM Security Access Manager for Enterprise Single Sign On 8.2

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS9JLE","label":"IBM Security Access Manager for Enterprise Single Sign-On"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IMS Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21660568