Cognos Analytics is vulnerable to a XSS attack when executing a report.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
IBM Cognos Analytics 18.104.22.168 and later.
Workarounds and Mitigations
Reports containing Hyperlinks or Hyperlink Buttons (HTML Items) can be created by report authors and executed by users. Malicious scripts can be inserted into these items, creating an XSS vulnerability when the report is executed. The ability to add HTML Items is enabled by default but can be disabled using the steps below.
In the Authoring perspective, the Hyperlink object can be found in the Tools tab under the Textual items. This is also relevant to the HTML item in the Tools -> Advanced section.
Executing the report with any account will allow the report to run and select the Hyperlink. Users could also see the links when opening a saved report that was executed by a different user.
Resolving the issue:
Disabling the Capability to execute reports with embedded HTML in Cognos Analytics reports can be accomplished in two ways: globally and on an object (folder or package) level.
Note: You cannot deny Capabilities or other permissions to System Administrators.
1 - Globally:
As a System Administrator user enter the Administration console.
Go to the Security tab and select Capabilities -> Report Studio to expand the selections.
Click the arrow for 'HTML Items in Report' and select ‘Set properties’.
Disable access to this capability by selecting the checkbox for ‘Override the access permissions acquired from the parent entry’ then select the User/Group/Roles and remove the Grant. You can also select the Deny checkbox.
2 - Remove at a folder or package level via the following method. Requires Write access.
Go to the properties of the containing Package or Report and select the Capabilities tab. Then click Set…
Select the User/Groups or Roles you want to deny access to the HTML Item in Report. Select Deny in the Capabilities list for the HTML Item in Report Capability.
Restricted Users will return an error when executing a report with an HTML/Hyperlink item.
“RSV-SVR-0031 The user does not have the assigned capability to use the ‘hyperlink’ layout element.
Get Notified about Future Security Bulletins
This vulnerability was reported to IBM by Mohit Rawat and Sagar Pasrija.
25 April 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
15 June 2018