You are here

V-094: IBM Multiple Products Multiple Vulnerabilities

February 19, 2013 - 1:41am

Addthis

PROBLEM:

IBM Multiple Products Multiple Vulnerabilities

PLATFORM:

IBM Maximo Asset Management versions 7.5, 7.1, and 6.2
IBM Maximo Asset Management Essentials versions 7.5, 7.1, and 6.2
IBM SmartCloud Control Desk version 7.5
IBM Tivoli Asset Management for IT versions 7.2, 7.1, and 6.2
IBM Tivoli Change and Configuration Management Database versions 7.2 and 7.1
IBM Tivoli Service Request Manager versions 7.2, 7.1, and 6.2

ABSTRACT:

A weakness and multiple vulnerabilities have been reported in multiple IBM products.

REFERENCE LINKS:

IBM Reference #:1625624
IBM Product Security Incident Response Blog
Secunia Advisory SA52132
CVE-2012-2159
CVE-2012-2161
CVE-2012-3316
CVE-2012-3321
CVE-2012-3322
CVE-2012-3327
CVE-2012-3328
CVE-2012-6355
CVE-2012-6356
CVE-2012-6357
CVE-2013-0457

IMPACT ASSESSMENT:

Medium

DISCUSSION:

1) The application bundles a vulnerable version of the IBM Eclipse Help System (IEHS).

2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Some unspecified errors can be exploited to bypass certain security restrictions.

IMPACT:

Vulnerabilities can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks and bypass certain security restrictions.

SOLUTION:

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central

Addthis