Vulnerability Name: CVE-2014-8917 (CCN-99303) Assigned: 2014-11-14 Published: 2015-01-22 Updated: 2017-09-08 Summary: Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2014-8917 62590 62837 http://www-01.ibm.com/support/docview.wss?uid=swg21694693 http://www-01.ibm.com/support/docview.wss?uid=swg21696013 Fixes are available for Security Vulnerabilities in Dojo that affect IBM WebSphere Portal (CVE-2014-8917 ) A Security vulnerability in the IBM Dojo Toolkit affects IBM Social Media Analytics (CVE-2014-8917) IBM Docs dojox/form/resources/*.swf and dojox/av/resources/*.swf XSS vulnerability (CVE-2014-8917 ) IBM Security Network Protection is affected by Dojo Toolkit XSS vulnerabilities (CVE-2014-8917) A vulnerability in the IBM Dojo Toolkit affects IBM Cognos Metrics Manager. (CVE-2014-8917) IBM Forms Server (Webform Server) is potentially affected by a cross-site scripting vulnerability (CVE-2014-8917 ) Vulnerability in the Dojo Toolkit affects IBM Business Process Manager, which is shipped with IBM SmartCloud Orchestrator and IBM SmartCloud Orchestrator Enterprise (CVE-2014-8917) Multiple Vulnerabilities in IBM Notes, iNotes and Domino (CVE-2014-8917, CVE-2015-1902, CVE-2015-1903) A vulnerability in the IBM Dojo Toolkit affects IBM Cognos TM1. (CVE-2014-8917) A Security vulnerability in the IBM Dojo Toolkit affects InfoSphere Big Insights (CVE-2014-8917) Multiple Vulnerabilities in IBM Connections Mail plug-in (CVE-2014-5191, CVE-2014-8917) Multiple vulnerability in Product IBM Tivoli Common Reporting( CVE-2015-0138, CVE-2014-9495,CVE-2014-8917,CVE-2015-0973 ,CVE-2014-3566 ,CVE-2014-6457 ,CVE-2014-6593,CVE-2015-0410,CVE-2014-3569,CVE-2015-0204,CVE-2014-3570) XSS Vulnerabilities in IBM Dojo Toolkit affect WebSphere Service Registry and Repository BM API Management is vulnerable to(CVE-2014-8917) Vulnerabilities in IBM Dojo Toolkit affect IBM Image Construction and Composition Tool (CVE-2014-8917) Multiple vulnerabilities have been identified in IBM SmartCloud Provisioning and bundling products 72903 Dojo Toolkit CVE-2014-8917 Multiple Cross Site Scripting Vulnerabilities 1032376 ibm-dojo-cve20148917-xss(99303) ibm-dojo-cve20148917-xss(99303) Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:social_media_analytics:*:*:*:*:*:*:*:* (Version <= 1.3.0.0)Configuration 2 :cpe:/a:ibm:financial_transaction_manager:2.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.0.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.1.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:2.1.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager:3.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager_for_check_services:2.1.1.8:*:*:*:*:*:*:* OR cpe:/a:ibm:financial_transaction_manager_for_corporate_payment_services:2.1.1.0:*:*:*:*:*:*:* BACK
ibm social media analytics *
ibm financial transaction manager 2.0.0.0
ibm financial transaction manager 2.0.0.1
ibm financial transaction manager 2.0.0.2
ibm financial transaction manager 2.0.0.3
ibm financial transaction manager 2.1.0.0
ibm financial transaction manager 2.1.0.1
ibm financial transaction manager 2.1.0.2
ibm financial transaction manager 2.1.1.0
ibm financial transaction manager 2.1.1.1
ibm financial transaction manager 3.0.0.0
ibm financial transaction manager for check services 2.1.1.8
ibm financial transaction manager for corporate payment services 2.1.1.0
Denotes that component is vulnerable