Vulnerability CVE-2009-2316

Vulnerability Name:

CVE-2009-2316 (CCN-51530)

Assigned:

2009-06-30

Published:

2009-06-30

Updated:

2009-08-05

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Identity Manager (ITIM) 5.0 allow remote attackers to inject arbitrary web script or HTML by entering an unspecified URL in (1) the self-service UI interface or (2) the console interface.
Note: it was later reported that 4.6.0 is also affected by the first vector.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2009-2316

Source: OSVDB
Type: UNKNOWN
55550

Source: OSVDB
Type: UNKNOWN
55551

Source: CCN
Type: SA35696
IBM Tivoli Identity Manager Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
35696

Source: CCN
Type: SA36119
IBM Tivoli Manager Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: UNKNOWN
36119

Source: CCN
Type: SECTRACK ID: 1022508
IBM Tivoli Identity Manager Input Validation Flaw Permits Cross-Site Scripting Attacks

Source: AIXAPAR
Type: Vendor Advisory
IZ54310

Source: CCN
Type: IBM APAR IZ54310
36107 - CORRECT XSS VULNERABILITES IN THE SELF-SERVICE UI INTERFACE

Source: AIXAPAR
Type: UNKNOWN
IZ54311

Source: AIXAPAR
Type: UNKNOWN
IZ55518

Source: CCN
Type: IBM Support & downloads
IBM Tivoli Identity Manager, ver 5.0, Interim Fix 5.0.0.6-TIV-TIM-IF0028

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg24023640

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg24023929

Source: CCN
Type: OSVDB ID: 55550
IBM Tivoli Identity Manager Self-Service UI Interface XSS

Source: CCN
Type: OSVDB ID: 55551
IBM Tivoli Identity Manager ITIM Console Interface XSS

Source: BID
Type: UNKNOWN
35566

Source: CCN
Type: BID-35566
IBM Tivoli Identity Manager Multiple Cross Site Scripting Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1022508

Source: VUPEN
Type: UNKNOWN
ADV-2009-1774

Source: VUPEN
Type: UNKNOWN
ADV-2009-2106

Source: XF
Type: UNKNOWN
tivoli-selfservice-xss(51530)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:tivoli_identity_manager:5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2009-2316 (CCN-51531)

Assigned:

2009-06-30

Published:

2009-06-30

Updated:

2009-06-30

Summary:

IBM Tivoli Identity Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the ITIM console. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in an administrator's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2009-2316

Source: CCN
Type: SA35696
IBM Tivoli Identity Manager Cross-Site Scripting Vulnerabilities

Source: CCN
Type: SA36119
IBM Tivoli Manager Cross-Site Scripting Vulnerability

Source: CCN
Type: SECTRACK ID: 1022508
IBM Tivoli Identity Manager Input Validation Flaw Permits Cross-Site Scripting Attacks

Source: CCN
Type: IBM APAR IZ54311
36115 - CORRECT XSS VULNERABILITES IN THE ITIM CONSOLE INTERFACE

Source: CCN
Type: IBM Support & downloads
IBM Tivoli Identity Manager, ver 5.0, Interim Fix 5.0.0.6-TIV-TIM-IF0028

Source: CCN
Type: OSVDB ID: 55550
IBM Tivoli Identity Manager Self-Service UI Interface XSS

Source: CCN
Type: OSVDB ID: 55551
IBM Tivoli Identity Manager ITIM Console Interface XSS

Source: CCN
Type: BID-35566
IBM Tivoli Identity Manager Multiple Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
tivoli-itim-console-xss(51531)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:ibm:tivoli_identity_manager:5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK