Vulnerability CVE-2015-7451

Vulnerability Name:

CVE-2015-7451 (CCN-108219)

Assigned:

2015-12-11

Published:

2015-12-11

Updated:

2016-01-06

Summary:

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.5 before 7.5.0.9 IF2 and 7.6 before 7.6.0.3 FP3 and Maximo Asset Management 7.5 before 7.5.0.9 IF2, 7.5.1, and 7.6 before 7.6.0.3 FP3 for SmartCloud Control Desk allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2015-7451

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21972423

Source: CCN
Type: IBM Security Bulletin 1972423 (Maximo Asset Management )
IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2015-7451)

Source: XF
Type: UNKNOWN
ibm-maximo-cve20157451-xss(108219)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_government:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_nuclear_power:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_oil_and_gas:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_transportation:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_utilities:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2015-7451 (CCN-112569)

Assigned:

2013-07-05

Published:

2013-07-05

Updated:

2016-01-06

Summary:

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
5.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2015-7451

Source: CCN
Type: Node.js Web site
Node.js

Source: CCN
Type: oss-sec Mailing List, Wed, 20 Apr 2016 17:16:24 -0400 (EDT)
various vulnerabilities in Node.js packages

Source: XF
Type: UNKNOWN
nodejs-cve20157451-filter-bypass(112569)

Source: CCN
Type: Node Security Web site
Multiple XSS Filter Bypasses

BACK