Security Bulletin
Summary
A dynamic web form is vulnerable to a cross-site scripting (XSS) attack.
Vulnerability Details
CVE ID:
CVE-2013-6745
DESCRIPTION:
A dynamic web form is vulnerable to a cross-site scripting (XSS) attack.
An XSS attack involves three parties: An attacker, a victim, and a vulnerable web site or web application. The attack hinges on the fact that the vulnerable website has a script that returns user input in an HTML page without first sanitizing that input. This allows the attacker to input JavaScript code, which is executed by the victim's browser. As a result, it is possible to form links to the vulnerable site where one of the parameters consists of malicious JavaScript code. The JavaScript code will be executed by the victim's browser in the vulnerable web site's context, granting the attacker access to the victim's cookies for the vulnerable web site.
The attack does require network access, requires authentication and some degree of specialized knowledge and techniques are required. An attack can compromise the integrity of information but not the confidentiality or availability.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89861 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
IBM Security Access Manager for Enterprise Single Sign On 8.2
Remediation/Fixes
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21660568