IBM Multiple Products Multiple Vulnerabilities
Release Date : 2013-02-18
Criticality level : Moderately critical
Impact : Security Bypass
Cross Site Scripting
Where : From remote
Solution Status : Partial Fix
IBM Maximo Asset Management 6.x
IBM Maximo Asset Management 7.x
IBM Maximo Asset Management Essentials 6.x
IBM Maximo Asset Management Essentials 7.x
IBM SmartCloud Control Desk 7.x
IBM Tivoli Asset Management for IT 6.x
IBM Tivoli Asset Management for IT 7.x
IBM Tivoli Change and Configuration Management Database 7.x
IBM Tivoli Service Request Manager 7.x
A weakness and multiple vulnerabilities have been reported in multiple IBM products, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks and bypass certain security restrictions.
1) The application bundles a vulnerable version of the IBM Eclipse Help System (IEHS).
2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Some unspecified errors can be exploited to bypass certain security restrictions.
The vulnerabilities are reported in the following products:
* IBM Maximo Asset Management versions 7.5, 7.1, and 6.2
* IBM Maximo Asset Management Essentials versions 7.5, 7.1, and 6.2
* IBM SmartCloud Control Desk version 7.5
* IBM Tivoli Asset Management for IT versions 7.2, 7.1, and 6.2
* IBM Tivoli Change and Configuration Management Database versions 7.2 and 7.1
* IBM Tivoli Service Request Manager versions 7.2, 7.1, and 6.2
Apply updates if available (please see the vendor's advisory for details).
Provided and/or discovered by:
2, 3) Reported by the vendor.
IBM (JR43170, JR43170, IV24609, IV25198, IV23838, IV22698, IV20823, IV30384, IV27329, IV23511, IV20590):
Was this reply helpful? (0) (0)