Security Bulletin: Vulnerability in Classic Sametime Meetings Server (CVE-2013-0535)
The Web Application of the Classic Sametime Meetings server can be exploited via potential cross-site scripting (XSS) vulnerabilities. A fix is provided.
A fix is available for a potential cross-site scripting (XSS) security vulnerability that has been identified in connection with the IBM Classic Sametime Meetings Server.
The issue can be fixed by installing the provided fix (see below under REMEDIATION heading)
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82657 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Classic Sametime Meetings server 220.127.116.11 and prior releases
The recommended solution is to apply the fixes that are provided by IBM for the affected IBM Classic Sametime Meetings server. The needed fix is for the Web Application part of the server.
Refer to the following technote for instructions on how to download the relevant fixes:
"Fix available for potential cross-site scripting (XSS) security vulnerabilities in Classic Sametime Meetings Server Web Application."
None known; apply fixes.
None known; apply fixes.
Complete CVSS Guide: http://www.first.org/cvss/v2/guide
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82657
The vulnerability was reported to IBM by Christian Frei from usd GA.
<April 30 2013>: Original Copy Published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Classic Meeting Server
Software version: 18.104.22.168, 8.0.1, 8.0.2, 8.5, 22.214.171.124, 126.96.36.199
Operating system(s): AIX, IBM i, Linux, Solaris, Windows
Reference #: 1635185
Modified date: 29 April 2013