The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of IBM Eclipse Help System: Cross Site Scripting via iehs.war

Synthesis of the vulnerability

An attacker can use iehs.war to generate a Cross Site Scripting in several IBM products, in order to execute JavaScript code in the context of the victim's web browser.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/06/2012.
Revisions dates: 17/12/2012, 20/12/2012, 06/05/2013.
Références of this alert: BID-54051, CERTA-2012-AVI-391, CERTA-2012-AVI-521, CERTA-2012-AVI-742, CVE-2012-2159-ERROR, CVE-2012-2161, PM62795, swg21596690, swg21612193, swg21620352, swg27022958, swg27036319, VIGILANCE-VUL-11687.

Description of the vulnerability

Several IBM products uses help files, which are displayed through the IBM Eclipse Help System viewer, provided by iehs.war.

However, an attacker can use iehs.war to generate a Cross Site Scripting, in order to execute JavaScript code in the context of the victim's web browser.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as DB2 UDB, SPSS Data Collection, Tivoli Storage Manager, WebSphere AS Traditional.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this computer vulnerability alert.

Solutions for this threat

IBM DB2 Information Center: patch for iehs.war.
A patch is available:
  http://www.ibm.com/support/docview.wss?uid=swg21624607

IBM SPSS Data Collection Developer Library Help System: IEHS version 3.4.3.
IBM Eclipse Help System version 3.4.3 is corrected:
  http://submit.boulder.ibm.com/infocenter/idwb/v3r8m4/index.jsp?topic=/com.ibm.iehs.home/doc/fixes.html

IBM Tivoli Storage Manager FastBack for Workstations Central Administration Console: version 6.3.1.0.
The version 6.3.1.0 is fixed.

WebSphere AS: APAR PM62795.
The APAR PM62795 is corrected.

WebSphere AS: version 8.0.0.4.
The version 8.0.0.4 is corrected:
  http://www.ibm.com/support/docview.wss?uid=swg24033190

WebSphere AS: version 8.5.0.1.
The version 8.5.0.1 is corrected:
  http://www.ibm.com/support/docview.wss?uid=swg24033606
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities alert. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.