Direct links to fixes
APAR status
Closed as fixed if next.
Error description
Reflected Cross-Site Scripting (XSS) vulnerabilties stem from the data in a request being echoed unsafely into an application's response. Attackers can contruct requests which will cause JavaScript code supplied by the attacker to be executed on the user's browser and within the context of their current session. This might mean that the attacker would have access to their session tokens, could log their keystrokes, or launch a network scan from the users browser. An attacker may exploit this vulnerability in conjunction with a Cross Site Request Forgery attack, or by providing a maliciously crafted link to a user in an email, chat, or web page. The impact of this vulnerability is contingent upon the function of the application. In addition to session hijacking, if the application uses broadly scoped cookies the vulnerability may lead to widespread account compromise, data loss, and potiential theft. A vulnerability of this type might be leveraged in a phishing campagin to exploit the trust and goodwill that users have in Apple in order to perform malicious attacks on the user. Multiple parameters to ´WebProcess.srv´ were found to be vulnerable to reflected XSS when the ´objectId´ and ´actionId´ parameters are set to ´840000´ and ´750812´, respectively.
Local fix
No.
Problem summary
Fixes for platform cross site scripting vulnerablities.
Problem conclusion
The fix is targeted to the 2h2015 mod installer, as well as the 3.5.1.2 and 3.4.2.4 fix packs
Temporary fix
Comments
APAR Information
APAR number
IV88400
Reported component name
TRI APPLCATION
Reported component ID
5725F26AB
Reported release
351
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-19
Closed date
2016-08-25
Last modified date
2016-08-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
999
Fix information
Applicable component levels
R351 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"351","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
30 March 2022