The IBM Cognos TM1 Web component contains a cross-site scripting vulnerability. IBM Cognos TM1 v 9.4, 9.5 and 10.1 are impacted.
CVE ID: CVE-2012-6350
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80670 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
The following versions of IBM Cognos TM1 are impacted:
- IBM Cognos TM1 10.1.0
- IBM Cognos TM1 9.5.0, 9.5.1 and 9.5.2
- IBM Cognos TM1 9.4.1 and earlier releases
REMEDIATION: Apply the appropriate fix pack or refresh pack to remediate these issues as per this table.
|IBM Cognos TM1 10.1||Either install the following fix pack
Download Cognos TM1 10.1 FP1
Or upgrade to IBM Cognos TM1 10.1 RP1
|IBM Cognos TM1 9.5||Download Cognos TM1 9.5.2 FP3|
|IBM Cognos TM1 9.5.0, 9.5.1||Download IBM Cognos TM1 9.5.2
Download Cognos TM1 9.5.2 FP3
|IBM Cognos TM1 9.4.1 and earlier versions||No fix is available, we recommend you upgrade to one of the above supported releases.|
WORKAROUND(S): None known, apply fixes
- It is feasible to not use TM1 web as a client for TM1 in which case you should ensure that it is either not installed or configured and/or not available as a web application.
- If using TM1 web as a client - None known – please apply the higher versions as described above.