Sign-up

ID

VAR-202201-0543


CVE

CVE-2021-38895


TITLE

IBM Security Verify  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-017526

DESCRIPTION

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209563. Vendor exploits this vulnerability IBM X-Force ID: 209563 It is published as.Information may be obtained and information may be tampered with. The service enables secure and simple access to platforms such as web, mobile, IoT and cloud technologies by using risk-based access, single sign-on, integrated access management controls, identity federation, and mobile multi-factor authentication IBM Security Verify Access has a cross-site scripting vulnerability that stems from vulnerability to cross-site scripting

Trust: 2.16

sources: NVD: CVE-2021-38895 // JVNDB: JVNDB-2021-017526 // CNNVD: CNNVD-202201-564

AFFECTED PRODUCTS

vendor:ibmmodel:security verify accessscope:eqversion:10.0.2.0

Trust: 1.8

vendor:ibmmodel:security verify accessscope:eqversion:10.0.1.0

Trust: 1.8

vendor:ibmmodel:security verify accessscope:eqversion:10.0.0

Trust: 1.8

vendor:ibmmodel:security verify accessscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-017526 // NVD: CVE-2021-38895

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-38895
value: MEDIUM

Trust: 1.8

psirt@us.ibm.com: CVE-2021-38895
value: LOW

Trust: 1.0

CNNVD: CNNVD-202201-564
value: LOW

Trust: 0.6

NVD:
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.0

NVD: CVE-2021-38895
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD:
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@us.ibm.com:
baseSeverity: LOW
baseScore: 3.0
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 1.4
version: 3.0

Trust: 1.0

NVD: CVE-2021-38895
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-017526 // NVD: CVE-2021-38895 // NVD: CVE-2021-38895 // CNNVD: CNNVD-202201-564

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-017526 // NVD: CVE-2021-38895

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-564

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202201-564

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2021-38895

PATCH
title:6538418 IBM X-Force Exchangeurl:https://www.ibm.com/support/pages/node/6538418
Trust: 0.8
title:IBM Security Verify Access Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=177316
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2021-017526 // 
            
            
            
            CNNVD: CNNVD-202201-564

EXTERNAL IDS
db:NVDid:CVE-2021-38895
Trust: 3.2
db:JVNDBid:JVNDB-2021-017526
Trust: 0.8
db:CS-HELPid:SB2022011038
Trust: 0.6
db:CNNVDid:CNNVD-202201-564
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2021-017526 // 
            
            
            
            NVD: CVE-2021-38895 // 
            
            
            
            CNNVD: CNNVD-202201-564

REFERENCES
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/209563
Trust: 1.6
url:https://www.ibm.com/support/pages/node/6538418
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2021-38895
Trust: 1.4
url:https://www.cybersecurity-help.cz/vdb/sb2022011038
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2021-017526 // 
            
            
            
            NVD: CVE-2021-38895 // 
            
            
            
            CNNVD: CNNVD-202201-564

SOURCES
db:JVNDBid:JVNDB-2021-017526
db:NVDid:CVE-2021-38895
db:CNNVDid:CNNVD-202201-564

LAST UPDATE DATE
2023-12-18T11:10:40.753000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2021-017526date:2023-01-24T06:26:00
db:NVDid:CVE-2021-38895date:2022-01-13T20:19:46.163
db:CNNVDid:CNNVD-202201-564date:2022-02-09T00:00:00

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2021-017526date:2023-01-24T00:00:00
db:NVDid:CVE-2021-38895date:2022-01-10T14:10:20.470
db:CNNVDid:CNNVD-202201-564date:2022-01-10T00:00:00