Sign-up

ID

VAR-201410-1114


CVE

CVE-2014-6079


TITLE

IBM Security Access Manager for Web and Security Access Manager for Mobile Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-004512

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Local Management Interface in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject arbitrary web script or HTML via a crafted URL. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ISAM for Mobile is a product that provides mobile access security in one modular package. ISAM for Web is a set of products used in user authentication, authorization, and Web single sign-on solutions. It provides user access management and Web application protection functions. The Local Management Interface in ISAM has a cross-site scripting vulnerability

Trust: 1.98

sources: NVD: CVE-2014-6079 // JVNDB: JVNDB-2014-004512 // BID: 70197 // VULHUB: VHN-74022

AFFECTED PRODUCTS

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.2

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.6

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.4

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.1

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.7

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.0

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.8

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.4

Trust: 1.6

vendor:ibmmodel:tivoli access manager for e-businessscope:eqversion:6.1.1

Trust: 1.1

vendor:ibmmodel:security access manager for web appliancescope:eqversion:7.0

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.3

Trust: 1.0

vendor:ibmmodel:security access manager for web appliancescope:eqversion:8.0

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.4

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.2

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.5

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.0

Trust: 1.0

vendor:ibmmodel:security access manager for mobile appliancescope:eqversion:8.0

Trust: 1.0

vendor:ibmmodel:tivoli access manager for e-businessscope:eqversion:6.0

Trust: 0.8

vendor:ibmmodel:security access manager for mobile the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:tivoli access manager for e-businessscope:eqversion:6.1

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0.0-iss-wga-fp0005

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:ltversion:7.x

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:7.0.0-iss-wga-if0009

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:ltversion:8.x

Trust: 0.8

vendor:ibmmodel:security access manager for web the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for mobile softwarescope:ltversion:8.x

Trust: 0.8

vendor:ibmmodel:security access manager for mobile softwarescope:eqversion:8.0.0-iss-isam-fp0005

Trust: 0.8

sources: BID: 70197 // JVNDB: JVNDB-2014-004512 // CNNVD: CNNVD-201410-057 // NVD: CVE-2014-6079

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-6079
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-6079
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-057
value: MEDIUM

Trust: 0.6

VULHUB: VHN-74022
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-6079
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-74022
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-74022 // JVNDB: JVNDB-2014-004512 // CNNVD: CNNVD-201410-057 // NVD: CVE-2014-6079

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-74022 // JVNDB: JVNDB-2014-004512 // NVD: CVE-2014-6079

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-057

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-057

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-004512

PATCH
title:1685244url:http://www-01.ibm.com/support/docview.wss?uid=swg21685244
Trust: 0.8
title:1684466url:http://www-01.ibm.com/support/docview.wss?uid=swg21684466
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-004512

EXTERNAL IDS
db:NVDid:CVE-2014-6079
Trust: 2.8
db:BIDid:70197
Trust: 1.4
db:SECUNIAid:61278
Trust: 1.1
db:SECUNIAid:61294
Trust: 1.1
db:JVNDBid:JVNDB-2014-004512
Trust: 0.8
db:CNNVDid:CNNVD-201410-057
Trust: 0.7
db:XFid:95763
Trust: 0.6
db:VULHUBid:VHN-74022
Trust: 0.1
sources:
            
            
            VULHUB: VHN-74022 // 
            
            
            
            BID: 70197 // 
            
            
            
            JVNDB: JVNDB-2014-004512 // 
            
            
            
            CNNVD: CNNVD-201410-057 // 
            
            
            
            NVD: CVE-2014-6079

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg21684466
Trust: 1.7
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv64910
Trust: 1.1
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv64919
Trust: 1.1
url:http://www.securityfocus.com/bid/70197
Trust: 1.1
url:http://www-01.ibm.com/support/docview.wss?uid=swg21685244
Trust: 1.1
url:http://secunia.com/advisories/61278
Trust: 1.1
url:http://secunia.com/advisories/61294
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/95763
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6079
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6079
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/95763
Trust: 0.6
url:http://www.ibm.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-74022 // 
            
            
            
            BID: 70197 // 
            
            
            
            JVNDB: JVNDB-2014-004512 // 
            
            
            
            CNNVD: CNNVD-201410-057 // 
            
            
            
            NVD: CVE-2014-6079

CREDITS
Paul Ionescu, Brennan Brazeau, John Zuccato, Jonathan Fitz-Gerald, and Warren Moynihan of IBM Security Systems Ethical Hacking Team.
Trust: 0.3
sources:
            
            
            BID: 70197

SOURCES
db:VULHUBid:VHN-74022
db:BIDid:70197
db:JVNDBid:JVNDB-2014-004512
db:CNNVDid:CNNVD-201410-057
db:NVDid:CVE-2014-6079

LAST UPDATE DATE
2024-11-23T20:38:38.623000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-74022date:2017-09-08T00:00:00
db:BIDid:70197date:2014-10-08T00:04:00
db:JVNDBid:JVNDB-2014-004512date:2014-11-17T00:00:00
db:CNNVDid:CNNVD-201410-057date:2014-10-10T00:00:00
db:NVDid:CVE-2014-6079date:2024-11-21T02:13:44.517

SOURCES RELEASE DATE
db:VULHUBid:VHN-74022date:2014-10-03T00:00:00
db:BIDid:70197date:2014-09-29T00:00:00
db:JVNDBid:JVNDB-2014-004512date:2014-10-06T00:00:00
db:CNNVDid:CNNVD-201410-057date:2014-10-10T00:00:00
db:NVDid:CVE-2014-6079date:2014-10-03T01:55:07.407