Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Vulnerability Details

CVEID:   CVE-2010-5312
DESCRIPTION:   jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the title parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/98696 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2019-0205
DESCRIPTION:   Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-0210
DESCRIPTION:   Apache Thrift is vulnerable to a denial of service, caused by an out-of-bounds read in a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol. A remote attacker could exploit this vulnerability to cause the application to panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-4377
DESCRIPTION:   IBM Cognos Anaytics is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179156 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID:   CVE-2016-7103
DESCRIPTION:   jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dialog function. A remote attacker could exploit this vulnerability using the 'closeText' parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/119601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2019-4589
DESCRIPTION:   IBM Cognos Analytics is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167449 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:   CVE-2019-4366
DESCRIPTION:   IBM Cognos Analytics is susceptible to an information disclosure vulnerability where an attacker could gain access to cached browser data.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161748 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)