Vulnerability Name: CVE-2012-2159 (CCN-74832) Assigned: 2012-06-08 Published: 2012-06-08 Updated: 2017-08-29 Summary: Open redirect vulnerability in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N 4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-20 Vulnerability Consequences: Other References: Source: MITRECVE-2012-2159 IBM Eclipse Help System Redirection Weakness and Cross-Site Scripting Vulnerability IBM SPSS Data Collection Developer Library Eclipse Help System Vulnerabilities IBM Rational Directory Server Help System Redirection Weakness and Cross-Site Scripting Vulnerability IBM Integrated Information Core Multiple Vulnerabilities IBM WebSphere Products Eclipse Help System Vulnerabilities IBM Tivoli Directory Integrator IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM Installation Manager IEHS Redirection Weakness and Cross-Site Scripting Vulnerability Rational Business Developer Multiple Vulnerabilities IBM Rational Change IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM DataQuant / DB2 QMF IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM InfoSphere Discovery IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM Multiple Products Multiple Vulnerabilities IBM Data Studio Help System Multiple Vulnerabilities IBM Lotus Domino Designer Redirection Weakness and Cross-Site Scripting Vulnerability IBM Tivoli Netcool Performance Manager IEHS Two Vulnerabilities ClearQuest Help System Open Redirect (CVE-2012-2159) Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467) Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.0.1 Open redirect and cross-site scripting vulnerabilities in DB2 QMF for Workstation and DB2 QMF for WebSphere help systems (CVE-2012-2159, CVE-2012-2161) Open redirect and cross-site scripting vulnerabilities in IBM DataQuant for z/OS and IBM DataQuant for Multiplatforms help systems (CVE-2012-2159, CVE-2012-2161) Open redirect and cross-site scripting vulnerabilities in the InfoSphere Streams help system (CVE-2012-2159, CVE-2012-2161) Open Redirect and Cross-Site Scripting Vulnerabilities in the IBM InfoSphere Discovery Information Center (CVE-2012-2159, CVE-2012-2161) Open redirect and cross-site scripting vulnerabilities in RPE help system (CVE-2012-2159, CVE-2012-2161) Open Redirect and Cross-Site Scripting Vulnerabilities in help system for InfoSphere MDM Server, InfoSphere Master Information Hub and InfoSphere MDM Custom Domain Hub (CVE-2012-2159, CVE-2012-2161) Multiple security vulnerabilities in the IBM InfoSphere Information Server Suite Open redirect and cross-site scripting vulnerabilities in the IBM Data Studio help system (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467) Security Vulnerabilities Addressed in Asset and Service Mgmt Security vulnerabilities addressed in IBM Domino & IBM Domino Designer 9.0 (CVE-2013-0487, CVE-2012-2161, CVE-2012-2159, CVE-2013-0486, CVE-2012-6277, CVE-2013-0488, CVE-2013-0489) Security Vulnerabilities addressed in IBM Tivoli Netcool Performance Manager (CVE-2012-2159, CVE-2012-2161) Multiple security vulnerabilities in IBM Sales Center for WebSphere Commerce (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, CVE-2012-2159, CVE-2012-2161) Integrated Information Core interim fix for APAR JR43170 Open Redirect and Cross-Site Scripting Vulnerabilities in the SPSS Data Collection Developer Library Help System (CVE-2012-2159, CVE-2012-2161) Vulnerabilities in AppScan Source http://www.ibm.com/support/docview.wss?uid=swg21596690 http://www.ibm.com/support/docview.wss?uid=swg21598423 Fix available for security vulnerabilities related to IEHS in IBM WebSphere Portal (multiple CVEs) Fix available for security vulnerabilities related to IEHS in IBM Sametime Meetings and Proxy version 9 (multiple CVEs) IBM Eclipse Help System Unspecified Arbitrary Site Redirect IBM WebSphere Sensor Events Multiple Input Validation Vulnerabilities IBM Eclipse Help System Multiple Security Vulnerabilities IBM Rational Directory Server URI Redirection and Cross Site Scripting Vulnerabilities iehs-multiple-open-redirect(74832) iehs-multiple-open-redirect(74832) Open Redirect and Cross-Site Scripting Vulnerabilities in Administration Client for ASF Help System Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:security_appscan_source:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.5.0.1:*:*:*:*:*:*:* Configuration 2 :cpe:/a:ibm:spss_data_collection:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_data_collection:6.0.1:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:eclipse_help_system:3.4.3:*:*:*:*:*:*:* AND cpe:/a:ibm:lotus_domino:8.5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_clearquest:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.1:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_data_collection:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_clearquest:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_service_desk:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.7:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:9.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:9.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:smartcloud_control_desk:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_service_request_manager:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_service_request_manager:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:change_and_configuration_management_database:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:change_and_configuration_management_database:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:data_studio:3.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_studio:3.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sametime:9.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sametime:9.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:6.1:*:*:*:*:*:*:* BACK
ibm security appscan source 7.0
ibm security appscan source 8.0
ibm security appscan source 8.0.0.1
ibm security appscan source 8.0.0.2
ibm security appscan source 8.5
ibm security appscan source 8.5.0.1
ibm spss data collection 6.0
ibm spss data collection 6.0.1
ibm eclipse help system 3.4.3
ibm lotus domino 8.5.0
ibm infosphere information server 8.1
ibm rational clearquest 7.1
ibm websphere portal 7.0
ibm lotus domino 8.5.1
ibm infosphere information server 8.5
ibm lotus domino 8.5.2
ibm lotus domino 8.5.3
ibm spss data collection 6.0
ibm maximo asset management 6.2
ibm maximo asset management 7.1
ibm maximo asset management 7.5
ibm rational clearquest 8.0
ibm websphere portal 8.0
ibm websphere application server 8.5
ibm tivoli asset management for it 6.2
ibm tivoli asset management for it 7.1
ibm tivoli asset management for it 7.2
ibm maximo service desk 6.2
ibm infosphere information server 8.7
ibm infosphere master data management server 8.5
ibm infosphere master data management server 9.0.1
ibm infosphere master data management server 9.0.2
ibm infosphere master data management server 10.0
ibm maximo asset management essentials 7.5
ibm maximo asset management essentials 7.1
ibm maximo asset management essentials 6.2
ibm smartcloud control desk 7.5
ibm tivoli service request manager 7.1
ibm tivoli service request manager 7.2
ibm change and configuration management database 7.1
ibm change and configuration management database 7.2
ibm data studio 3.1.0
ibm data studio 3.1.1
ibm sametime 9.0.0.0
ibm sametime 9.0.0.1
ibm websphere portal 6.1
Denotes that component is vulnerable