IBM Support

IV88400: REFLECTED CROSS-SITE SCRIPTING (XSS)

Direct links to fixes

3.4.2-TIV-TAP-FP005-WIN
3.4.2-TIV-TAP-FP005-README
3.4.2-TIV-TAP-FP005-LIN
3.4.2-TIV-TAP-FP005-AIX
3.5.1-TIV-TAP-FP002-WIN
3.5.1-TIV-TAP-FP002-README
3.5.1-TIV-TAP-FP002-LIN
3.5.1-TIV-TAP-FP002-AIX

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • Reflected Cross-Site Scripting (XSS) vulnerabilties stem from
the data
in a request being echoed unsafely into an application's
response.
Attackers can contruct requests which will cause JavaScript code
supplied by the attacker to be executed on the user's browser
and
within the context of their current session. This might mean
that the
attacker would have access to their session tokens, could log
their
keystrokes, or launch a network scan from the users browser. An
attacker may exploit this vulnerability in conjunction with a
Cross
Site Request Forgery attack, or by providing a maliciously
crafted link
to a user in an email, chat, or web page.

The impact of this vulnerability is contingent upon the
function of the
application. In addition to session hijacking, if the
application uses
broadly scoped cookies the vulnerability may lead to widespread
account
compromise, data loss, and potiential theft. A vulnerability of
this
type might be leveraged in a phishing campagin to exploit the
trust and
goodwill that users have in Apple in order to perform malicious
attacks
on the user.

Multiple parameters to ´WebProcess.srv´ were found to be
vulnerable to
reflected XSS when the ´objectId´ and ´actionId´ parameters are
set to
´840000´ and ´750812´, respectively.

Local fix

  • No.

Problem summary

  • Fixes for platform cross site scripting vulnerablities.

Problem conclusion

  • The fix is targeted to the 2h2015 mod installer, as well as the
3.5.1.2 and 3.4.2.4 fix packs

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV88400
    • 

  • Reported component name
    TRI APPLCATION
    • 

  • Reported component ID
    5725F26AB
    • 

  • Reported release
    351
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-08-19
    • 

  • Closed date
    2016-08-25
    • 

  • Last modified date
    2016-08-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • 999

    



Fix information


    



Applicable component levels


    

  • R351  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"351","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 March 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback