IBM Support

Security Bulletin: SmartCloud Provisioning - Webmin Open Source vulnerability (CVE-2014-0339)

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/514815
514815

Security Bulletin


Summary

SmartCloud Provisioning - Webmin Open Source vulnerability as per X-Force Report, March 2014 (CVE-2014-0339).

Vulnerability Details

SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance is shipped with Webmin. A security vulnerability has been discovered in Webmin that affects SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance with Webmin. Webmin has released patch updates that contain a vulnerability fix and SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance with Webmin has been updated to include those fixes.

Refer to the following sections for vulnerabilities details and information about fixes.

CVE-ID: CVE-2014-0339


DESCRIPTION: Webmin is vulnerable to cross-site scripting, which is caused by improper validation of user-supplied input by the view.cgi script. A remote attacker might exploit this vulnerability using the id parameter in a specially crafted URL. That URL can then execute a script in a victim's Web browser within the security context of the hosting Web site after the URL is clicked. An attacker might use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91825 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance

Remediation/Fixes

The recommended solution is to download the SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance latest interim fix from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

CVE-ID: CVE-2014-0339

[{"Product":{"code":"SSZH3R","label":"IBM Service Agility Accelerator for Cloud"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21677247