IBM Maximo Asset Management CVE-2018-1872 Cross Site Scripting Vulnerability

IBM Maximo Asset Management is prone to cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Information

Bugtraq ID: 106140
Class: Input Validation Error
CVE: CVE-2018-1872

Remote: Yes
Local: No
Published: Dec 10 2018 12:00AM
Updated: Dec 10 2018 12:00AM
Credit: IBM
Vulnerable: IBM Tivoli Integration Composer 0
IBM SmartCloud Control Desk 0
IBM Maximo for Utilities 0
IBM Maximo for Transportation 0
IBM Maximo for Oil and Gas 0
IBM Maximo for Nuclear Power 0
IBM Maximo for Life Sciences 0
IBM Maximo for Aviation 0
IBM Maximo Asset Management 7.6
IBM Control Desk 0

Not Vulnerable: IBM Maximo Asset Management 7.6.1.0
IBM Maximo Asset Management 7.6.0.9

Exploit

An attacker can exploit the issue by enticing an unsuspecting user to visit a specially crafted URL.

References:

• IBM Homepage (IBM)
  
• ibm10737461: Security Bulletin: IBM Maximo Asset Management is vulnerable to cro (ibm10737461)
  

Source: www.securityfocus.com