IV72630: CROSS SITE SCRIPTING POST-AUTHENTICATION - ACROSS THE APPLICATION
Closed as fixed if next.
This specific scenario is regarding : A Cross Site Scripting (XSS) attack occurs when an attacker uses the web application to inject malicious code in the form of a client side script - arbitrary Java Script - to an end user. As a result of the attack being successful, this attacker-controlled content is executed in the context of the current user. A potential session theft may occur if the user is logged in. If the user is not logged in, the attacker can retain the session cookie until it can be reasonably assumed that the user has logged in. The attacker gains full control over the victim's account. As the application assumes the script originated from a trusted source, the malicious script can access any cookies, sessions tokens, or other sensitive information retained by the client and used with that site. These scripts can even rewrite the content of the HTML page. This issue has been observed across the application.
The unescaped values from user input needed to be removed from the json array.
Cross site scripting attacks in "My Reports" have been mitigated. Entering script code in a new report's Name, ID, Header, or Tag name will no longer cause the scripts to execute after accessing the report within the application. This is targeted for the 3.4.2 mod release, and 22.214.171.124 fix pack.
Reported component name
TRI APP PLTFM R
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Applicable component levels