Vulnerability Name: CVE-2012-2161 (CCN-74833) Assigned: 2012-06-08 Published: 2012-06-08 Updated: 2017-08-29 Summary: Cross-site scripting (XSS) vulnerability in deferredView.jsp in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to inject arbitrary web script or HTML via a crafted URL. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2012-2161 IBM Eclipse Help System Redirection Weakness and Cross-Site Scripting Vulnerability IBM Rational AppScan Multiple Vulnerabilities IBM Rational AppScan Multiple Vulnerabilities IBM Rational Directory Server Help System Redirection Weakness and Cross-Site Scripting Vulnerability IBM WebSphere Application Server iehs Cross-Site Scripting Vulnerability IBM Integrated Information Core Multiple Vulnerabilities IBM Tivoli Directory Integrator IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM Rational Synergy Multiple Vulnerabilities IBM Proventia Management SiteProtector IEHS Cross-Site Scripting Vulnerabilities IBM InfoSphere Streams Eclipse Help System Vulnerabilities IBM InfoSphere Discovery IEHS Redirection Weakness and Cross-Site Scripting Vulnerability IBM Tivoli Storage Manager FastBack IEHS Cross-Site Scripting Vulnerability IBM Multiple Products Multiple Vulnerabilities IBM Data Studio Help System Multiple Vulnerabilities IBM Lotus Domino Designer Redirection Weakness and Cross-Site Scripting Vulnerability IBM Tivoli Netcool Performance Manager IEHS Two Vulnerabilities Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467) Open redirect and cross-site scripting vulnerabilities in DB2 QMF for Workstation and DB2 QMF for WebSphere help systems (CVE-2012-2159, CVE-2012-2161) Open redirect and cross-site scripting vulnerabilities in IBM DataQuant for z/OS and IBM DataQuant for Multiplatforms help systems (CVE-2012-2159, CVE-2012-2161) SiteProtector 2.9.0.1 -- Core XPU Content Open redirect and cross-site scripting vulnerabilities in the InfoSphere Streams help system (CVE-2012-2159, CVE-2012-2161) Open Redirect and Cross-Site Scripting Vulnerabilities in the IBM InfoSphere Discovery Information Center (CVE-2012-2159, CVE-2012-2161) Open redirect and cross-site scripting vulnerabilities in RPE help system (CVE-2012-2159, CVE-2012-2161) Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467) FB4WKSTNS CAC is affected by multiple vulnerabilities in the underlying IBM Eclipse Help System (CVE-2012-2161) Multiple security vulnerabilities in the IBM InfoSphere Information Server Suite Open redirect and cross-site scripting vulnerabilities in the IBM Data Studio help system (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467) Security Vulnerabilities Addressed in Asset and Service Mgmt Security vulnerabilities addressed in IBM Domino & IBM Domino Designer 9.0 (CVE-2013-0487, CVE-2012-2161, CVE-2012-2159, CVE-2013-0486, CVE-2012-6277, CVE-2013-0488, CVE-2013-0489) Security Vulnerabilities addressed in IBM Tivoli Netcool Performance Manager (CVE-2012-2159, CVE-2012-2161) Multiple security vulnerabilities in IBM Sales Center for WebSphere Commerce (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, CVE-2012-2159, CVE-2012-2161) 8.5: Code injection security problem in iehs.war Integrated Information Core interim fix for APAR JR43170 Open Redirect and Cross-Site Scripting Vulnerabilities in the SPSS Data Collection Developer Library Help System (CVE-2012-2159, CVE-2012-2161) Vulnerabilities in AppScan Source http://www.ibm.com/support/docview.wss?uid=swg21596690 http://www.ibm.com/support/docview.wss?uid=swg21598423 Fix available for security vulnerabilities related to IEHS in IBM WebSphere Portal (multiple CVEs) Fix available for security vulnerabilities related to IEHS in IBM Sametime Meetings and Proxy version 9 (multiple CVEs) IBM Eclipse Help System Unspecified XSS IBM WebSphere Sensor Events Multiple Input Validation Vulnerabilities IBM Eclipse Help System Multiple Security Vulnerabilities IBM WebSphere Application Server 'iehs.war' Cross Site Scripting Vulnerability IBM Rational Directory Server URI Redirection and Cross Site Scripting Vulnerabilities iehs-multiple-xss(74833) iehs-multiple-xss(74833) Open Redirect and Cross-Site Scripting Vulnerabilities in Administration Client for ASF Help System Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:security_appscan_source:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:security_appscan_source:8.5.0.1:*:*:*:*:*:*:* Configuration 2 :cpe:/a:ibm:spss_data_collection:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_data_collection:6.0.1:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:eclipse_help_system:3.4.3:*:*:*:*:*:*:* AND cpe:/a:ibm:lotus_domino:8.5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.1:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:lotus_domino:8.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_data_collection:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_asset_management_for_it:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_service_desk:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:8.7:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:9.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:9.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_master_data_management_server:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:smartcloud_control_desk:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_service_request_manager:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_service_request_manager:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:change_and_configuration_management_database:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:change_and_configuration_management_database:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:data_studio:3.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_studio:3.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sametime:9.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sametime:9.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_portal:6.1:*:*:*:*:*:*:* BACK
ibm security appscan source 7.0
ibm security appscan source 8.0
ibm security appscan source 8.0.0.1
ibm security appscan source 8.0.0.2
ibm security appscan source 8.5
ibm security appscan source 8.5.0.1
ibm spss data collection 6.0
ibm spss data collection 6.0.1
ibm eclipse help system 3.4.3
ibm lotus domino 8.5.0
ibm infosphere information server 8.1
ibm websphere portal 7.0
ibm lotus domino 8.5.1
ibm infosphere information server 8.5
ibm lotus domino 8.5.2
ibm lotus domino 8.5.3
ibm spss data collection 6.0
ibm maximo asset management 6.2
ibm maximo asset management 7.1
ibm maximo asset management 7.5
ibm websphere portal 8.0
ibm websphere application server 8.5
ibm tivoli asset management for it 6.2
ibm tivoli asset management for it 7.1
ibm tivoli asset management for it 7.2
ibm maximo service desk 6.2
ibm infosphere information server 8.7
ibm infosphere master data management server 8.5
ibm infosphere master data management server 9.0.1
ibm infosphere master data management server 9.0.2
ibm infosphere master data management server 10.0
ibm maximo asset management essentials 7.5
ibm maximo asset management essentials 7.1
ibm maximo asset management essentials 6.2
ibm smartcloud control desk 7.5
ibm tivoli service request manager 7.1
ibm tivoli service request manager 7.2
ibm change and configuration management database 7.1
ibm change and configuration management database 7.2
ibm data studio 3.1.0
ibm data studio 3.1.1
ibm sametime 9.0.0.0
ibm sametime 9.0.0.1
ibm websphere portal 6.1
Denotes that component is vulnerable