Security Bulletin
Summary
IBM Web applications using file uploader services of IBM Dojo Toolkit might be subject to Cross Site Scripting vulnerability, caused by improper validation of user-supplied input.
Vulnerability Details
CVEID: CVE-2014-8917
DESCRIPTION: IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99303for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM InfoSphere MDM Reference Data Management Versions 11.4, 11.3, 11.0, 10.1.
InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights Versions 11.0 and 11.3.
InfoSphere Big Match for Hadoop version 11.4
InfoSphere Initiate Master Data Service ( Inspector component and Web Reports component) versions 10.1,10.0, 9.7 and 9.5.
InfoSphere Master Data Management ( Inspector component and Web Reports component) versions 11.4, 11.3 and 11.0.
Remediation/Fixes
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
| Product | VRMF | APAR | Remediation/First Fix |
| IBM InfoSphere Reference Data Management | 11.4 | None | 11.4-FP2 |
| IBM InfoSphere Reference Data Management | 11.3 | None | 11.3-FP2 |
| IBM InfoSphere Reference Data Management | 11.0 | None | 11.0-FP3 |
| IBM InfoSphere Reference Data Management | 10.1 | None | 10.1-IF1 |
| InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights | 11.0 | None | 11.0-FP1 |
| InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights | 11.3 | None | 11.3-FP2 |
| InfoSphere Big Match for Hadoop | 11.4 | None | 11.4-FP2 |
| InfoSphere Initiate Master Data Service | 9.5 | None | 9.5.032215 |
| InfoSphere Initiate Master Data Service | 9.7 | None | 9.7.032215 |
| InfoSphere Initiate Master Data Service | 10.0 | None | 10.0.032215 |
| InfoSphere Initiate Master Data Service | 10.1 | None | 10.1.032215 |
| InfoSphere Master Data Management | 11.0 | None | 11.0-FP3 |
| InfoSphere Master Data Management | 11.3 | None | 11.3-FP2 IWM Samples |
| InfoSphere Master Data Management | 11.4 | None | 11.4-FP2 IWM Samples |
Get Notified about Future Security Bulletins
References
Change History
06-February-2015: Original version published.
26-February-2015: Remediations/Fixes updated with RDM 11.3 FP2 link
10-March-2015: Remediations/Fixes updated with MDM 11.3 FP2 link(s)
12-March-2015: Affected Products and Versions updated.
23-March-2015: Remediations/Fixes updated.
08-April-2015: Remediations/Fixes updated with RDM 11.4 11.0 10.1 links.
09-April-2015: Remediations/Fixes updated with PME 11.0 11.3 and BigM 11.4 links
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
27 April 2022
UID
swg21695767