IBM WebSphere Message Broker Information Center Vulnerabilities: Notification 2 (CVE-2013-0464, CVE-2013-0599)

Flash (Alert)


Abstract

CVE-2013-0464 - IEHS - Cross-Site Scripting vulnerabilities may enable malicious scripts to be injected into a victim's context.
CVE-2013-0599 - Request parameter is out of range and debug information is displayed in browser..

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-0464

DESCRIPTION:
CVE-2013-0464 - IEHS - Cross-Site Scripting vulnerabilities may enable malicious scripts to be injected into a victim's context.

For IEHSc3.4.2 IEHSc3.4.3, IEHSc3.6.1 and IEHSc3.6.2, if a user types "<img src=1 onerror=alert("XSS_vulnerable")>" in the "Search" control box, the application would alert "XSS_vulnerable"


CVSS:
CVE-2013-0464
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0599

DESCRIPTION:
CVE-2013-0599 - IEHS - Request parameter is out of range and debug information is displayed in browser.
The application has responded with an error message and debug information is displayed in browser with HTTP ERROR 500.

CVSS:
CVE-2013-0599
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83613 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:
Informatiom Center for IBM WebSphere Message Broker V6.1.0.11
Informatiom Center for IBM WebSphere Message Broker V7.0,0.6
Informatiom Center for IBM WebSphere Message Broker V8.0.0.2
IBM Integration Bus V9.0.0.0

REMEDIATION:

For the IBM WebSphere Message Broker V6.1 Information Center please download from:

ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V6.1/wmb_help_linux.tgz
ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V6.1/wmb_help_win.zip

For the IBM WebSphere Message Broker V7.0 Information Center please download from:

ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V7.0/wmb_help_linux.tgz
ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V7.0/wmb_help_win.zip

For the IBM WebSphere Message Broker V8.0 Information Center please download from:

ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V8.0/wmb_help_linux.tgz
ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V8.0/wmb_help_win.zip

For the IBM Integration Bus V9.0 Information Center please download from:

ftp://public.dhe.ibm.com/software/integration/integrationbus/docs/V9.0/ib_help_linux.tgz
ftp://public.dhe.ibm.com/software/integration/integrationbus/docs/V9.0/ib_help_win.zip


Workaround(s):
None known, apply fixes

Mitigation(s):
None known

REFERENCES:

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
12 September 2013: Original Copy Published
16 September 2013: CVE corrected in references
13 January 2014: Updated abstract following feedback

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Message Broker

Software version:

6.1, 7.0.0.5, 8.0.0.2

Operating system(s):

AIX, HP-UX on Itanium, Linux, Linux SUSE - pSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux pSeries, Solaris, Windows, z/OS

Reference #:

1648445

Modified date:

2014-07-30

Translate my page

Machine Translation

Content navigation