Vulnerability Name:

CVE-2015-0109 (CCN-99606)

Assigned:2014-11-18
Published:2015-01-21
Updated:2017-09-08
Summary:Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.8, and Maximo Asset Management 7.1 through 7.1.1.8 and 7.2 for Tivoli IT Asset Management for IT and certain other products, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-0104, CVE-2015-0107, and CVE-2015-0108.
CVSS v3 Severity:2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2015-0109

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21694974

Source: CCN
Type: IBM Security Bulletin 1694974
Security Bulletin: Cross-Site Scripting (XSS) and Remote Code Execution Vulnerabilities Affecting Asset and Service Management (CVE-2015-0104, CVE-2015-0107, CVE-2015-0108, CVE-2015-0109)

Source: CCN
Type: BID-72708
Multiple IBM Products CVE-2015-0109 Unspecified Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
ibm-tsam-cve20150109-xss(99606)

Source: XF
Type: UNKNOWN
ibm-tsam-cve20150109-xss(99606)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:change_and_configuration_management_database:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:change_and_configuration_management_database:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_government:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_life_sciences:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_nuclear_power:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_oil_and_gas:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_transportation:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_for_utilities:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_asset_management_for_it:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_asset_management_for_it:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_service_request_manager:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_service_request_manager:7.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm change and configuration management database 7.1
    ibm change and configuration management database 7.2
    ibm maximo asset management 7.1
    ibm maximo asset management 7.1.1
    ibm maximo asset management 7.1.1.1
    ibm maximo asset management 7.1.1.2
    ibm maximo asset management 7.1.1.5
    ibm maximo asset management 7.1.1.6
    ibm maximo asset management 7.1.1.7
    ibm maximo asset management 7.1.1.8
    ibm maximo asset management essentials 7.1
    ibm maximo for government 7.1
    ibm maximo for life sciences 7.1
    ibm maximo for nuclear power 7.1
    ibm maximo for oil and gas 7.1
    ibm maximo for transportation 7.1
    ibm maximo for utilities 7.1
    ibm tivoli asset management for it 7.1
    ibm tivoli asset management for it 7.2
    ibm tivoli service request manager 7.1
    ibm tivoli service request manager 7.2
    ibm maximo asset management 7.1
    ibm maximo asset management 7.1.1