IBM Support

Potential Security issue for SmartCloud Cost Management (CVE-2013-0464 and CVE-2012-3325)

Security Bulletin


Summary

Vulnerability in Eclipse Help System (CVE-2013-0464) and potential security exposure with IBM WebSphere Application Server after installing PM44303 (CVE-2012-3325).

Vulnerability Details

CVE ID: CVE-2013-0464

Multiple cross-site scripting (XSS) vulnerabilities in IBM Eclipse Help System (IEHS) 3.4.3 and 3.6.2, allow remote attackers to inject arbitrary web script or HTML via a crafted URL.

Problem Description

IBM Eclipse Help System, as used in multiple IBM products, is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

**************************************************************************************************************************
Potential security exposure with IBM WebSphere Application Server after installing PM44303 (CVE-2012-3325)

Abstract

After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server.

Content

CVE ID: CVE-2012-3325 (PM71296)

Problem Description:
If you have installed an Interim Fix for PM44303 or a Fix Pack listed above, you have the potential for an authenticated user to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data.

Remediation/Fixes

For CVE-2012-3325 review Potential security exposure with IBM WebSphere Application Server after installing PM44303 for the solution.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off
CVE-2013-0464

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Security Bulletin: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467) - http://www.ibm.com/support/docview.wss?uid=swg21637954
IBM Divested moved to UNICOM company. The issue is due to Eclipse, hence updating.

[{"Product":{"code":"SSNHG7","label":"Tivoli Usage and Accounting Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"}],"Version":"2.1.0.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21646737

Page Feedback