Details of VAR-201602-0228

ID

VAR-201602-0228

CVE

CVE-2015-8531

TITLE

IBM Security Access Manager for Web and Security Access Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-006888

DESCRIPTION

Cross-site scripting (XSS) vulnerability in IBM Security Access Manager for Web 8.0 before 8.0.1.3 IF4 and 9.0 before 9.0.0.1 IF1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. It provides user access management and Web application protection function. A cross-site scripting vulnerability exists in ISAM for Web versions 8.0 and 9.0

Trust: 1.98

sources: NVD: CVE-2015-8531 // JVNDB: JVNDB-2015-006888 // BID: 85202 // VULHUB: VHN-86492

AFFECTED PRODUCTS

vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.2	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.3	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1.2	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.5	Trust: 1.6
vendor:	ibm	model:	security access manager 9.0	scope:	eq	version:	9.0.0	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1.0	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1	Trust: 1.6
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.1	Trust: 1.6
vendor:	ibm	model:	security access manager for web software	scope:	lt	version:	8.0	Trust: 0.8
vendor:	ibm	model:	security access manager software	scope:	lt	version:	9.0	Trust: 0.8
vendor:	ibm	model:	security access manager software	scope:	eq	version:	9.0.0.1 if1	Trust: 0.8
vendor:	ibm	model:	security access manager for web software	scope:	eq	version:	8.0.1.3 if4	Trust: 0.8

sources: JVNDB: JVNDB-2015-006888 // CNNVD: CNNVD-201602-285 // NVD: CVE-2015-8531

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-8531
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-8531
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201602-285
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-86492
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-8531
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-86492
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-8531
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-86492 // JVNDB: JVNDB-2015-006888 // CNNVD: CNNVD-201602-285 // NVD: CVE-2015-8531

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-86492 // JVNDB: JVNDB-2015-006888 // NVD: CVE-2015-8531

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-285

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201602-285

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006888

PATCH

title:	1974651	url:	http://www-01.ibm.com/support/docview.wss?uid=swg21974651	Trust: 0.8
title:	IBM Security Access Manager for Web Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60226	Trust: 0.6

sources: JVNDB: JVNDB-2015-006888 // CNNVD: CNNVD-201602-285

EXTERNAL IDS

db:	NVD	id:	CVE-2015-8531	Trust: 2.8
db:	JVNDB	id:	JVNDB-2015-006888	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-285	Trust: 0.7
db:	BID	id:	85202	Trust: 0.4
db:	VULHUB	id:	VHN-86492	Trust: 0.1

sources: VULHUB: VHN-86492 // BID: 85202 // JVNDB: JVNDB-2015-006888 // CNNVD: CNNVD-201602-285 // NVD: CVE-2015-8531

REFERENCES

url:	http://www-01.ibm.com/support/docview.wss?uid=swg1iv80692	Trust: 1.7
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21974651	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8531	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8531	Trust: 0.8
url:	http://www.ibm.com/	Trust: 0.3

sources: VULHUB: VHN-86492 // BID: 85202 // JVNDB: JVNDB-2015-006888 // CNNVD: CNNVD-201602-285 // NVD: CVE-2015-8531

CREDITS

Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Chris Shepherd, Dmitriy Beryoza of IBM X-Force Ethical Hacking Team.

Trust: 0.3

sources: BID: 85202

SOURCES

db:	VULHUB	id:	VHN-86492
db:	BID	id:	85202
db:	JVNDB	id:	JVNDB-2015-006888
db:	CNNVD	id:	CNNVD-201602-285
db:	NVD	id:	CVE-2015-8531

LAST UPDATE DATE

2024-11-23T22:49:16.144000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-86492	date:	2016-02-24T00:00:00
db:	BID	id:	85202	date:	2016-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-006888	date:	2016-02-25T00:00:00
db:	CNNVD	id:	CNNVD-201602-285	date:	2016-02-16T00:00:00
db:	NVD	id:	CVE-2015-8531	date:	2024-11-21T02:38:40.467

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-86492	date:	2016-02-15T00:00:00
db:	BID	id:	85202	date:	2016-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-006888	date:	2016-02-25T00:00:00
db:	CNNVD	id:	CNNVD-201602-285	date:	2016-02-16T00:00:00
db:	NVD	id:	CVE-2015-8531	date:	2016-02-15T02:59:14.107