Details of VAR-201801-1022

ID

VAR-201801-1022

CVE

CVE-2017-1533

TITLE

IBM Security Access Manager Appliance Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-001328

DESCRIPTION

IBM Security Access Manager Appliance 9.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130675. Vendors have confirmed this vulnerability IBM X-Force ID: 130675 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The product enables access management control through integrated appliances for web, mobile and cloud computing

Trust: 1.98

sources: NVD: CVE-2017-1533 // JVNDB: JVNDB-2018-001328 // BID: 102496 // VULHUB: VHN-106141

AFFECTED PRODUCTS

vendor:	ibm	model:	security access manager 9.0	scope:	eq	version:	*	Trust: 1.0
vendor:	ibm	model:	security access manager	scope:	eq	version:	9.0.3	Trust: 0.8
vendor:	ibm	model:	security access manager 9.0	scope:	-	version:	-	Trust: 0.6
vendor:	ibm	model:	security access manager	scope:	eq	version:	9.0.3.1	Trust: 0.3
vendor:	ibm	model:	security access manager	scope:	eq	version:	9.0.3.0	Trust: 0.3

sources: BID: 102496 // JVNDB: JVNDB-2018-001328 // CNNVD: CNNVD-201801-379 // NVD: CVE-2017-1533

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-1533
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-1533
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201801-379
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-106141
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-1533
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-106141
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-1533
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-106141 // JVNDB: JVNDB-2018-001328 // CNNVD: CNNVD-201801-379 // NVD: CVE-2017-1533

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-106141 // JVNDB: JVNDB-2018-001328 // NVD: CVE-2017-1533

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-379

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201801-379

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001328

PATCH

title:	2012327	url:	http://www-01.ibm.com/support/docview.wss?uid=swg22012327	Trust: 0.8
title:	IBM Security Access Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77635	Trust: 0.6

sources: JVNDB: JVNDB-2018-001328 // CNNVD: CNNVD-201801-379

EXTERNAL IDS

db:	NVD	id:	CVE-2017-1533	Trust: 2.8
db:	BID	id:	102496	Trust: 2.0
db:	SECTRACK	id:	1040168	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-001328	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-379	Trust: 0.7
db:	VULHUB	id:	VHN-106141	Trust: 0.1

sources: VULHUB: VHN-106141 // BID: 102496 // JVNDB: JVNDB-2018-001328 // CNNVD: CNNVD-201801-379 // NVD: CVE-2017-1533

REFERENCES

url:	http://www.securityfocus.com/bid/102496	Trust: 1.7
url:	http://www.ibm.com/support/docview.wss?uid=swg22012327	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/130675	Trust: 1.7
url:	http://www.securitytracker.com/id/1040168	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-1533	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-1533	Trust: 0.8
url:	http://www.ibm.com/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg22012327	Trust: 0.3

sources: VULHUB: VHN-106141 // BID: 102496 // JVNDB: JVNDB-2018-001328 // CNNVD: CNNVD-201801-379 // NVD: CVE-2017-1533

CREDITS

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Trust: 0.3

sources: BID: 102496

SOURCES

db:	VULHUB	id:	VHN-106141
db:	BID	id:	102496
db:	JVNDB	id:	JVNDB-2018-001328
db:	CNNVD	id:	CNNVD-201801-379
db:	NVD	id:	CVE-2017-1533

LAST UPDATE DATE

2024-11-23T22:12:41.885000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-106141	date:	2020-10-27T00:00:00
db:	BID	id:	102496	date:	2018-01-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-001328	date:	2018-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201801-379	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2017-1533	date:	2024-11-21T03:22:01.890

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-106141	date:	2018-01-10T00:00:00
db:	BID	id:	102496	date:	2018-01-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-001328	date:	2018-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201801-379	date:	2018-01-11T00:00:00
db:	NVD	id:	CVE-2017-1533	date:	2018-01-10T17:29:00.873