Vulnerability-Lookup

CNVD-2015-02500

Vulnerability from cnvd - Published: 2015-04-17

Title

IBM InfoSphere MDM Reference Data Management存在未明跨站脚本漏洞

Description

IBM InfoSphere MDM Reference Data Management提供跨不同业务领域在信息世界中无缝管理参考数据所必不可少的一系列功能，其中包括全面的程序编写和生命周期管理功能、版本控制模型、基于角色的安全性和访问控制。 IBM InfoSphere MDM Reference Data Management存在跨站脚本漏洞。远程攻击者利用漏洞构建恶意URI，诱使用户解析，可获得敏感Cookie，劫持会话或在客户端上进行恶意操作。

Severity

中

Patch Name

IBM InfoSphere MDM Reference Data Management存在未明跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www-01.ibm.com/support/docview.wss?uid=swg21698255

Reference

http://www-01.ibm.com/support/docview.wss?uid=swg21698255

Impacted products

Name
IBM InfoSphere MDM Reference Data Management Hub 11.4.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-1910"
    }
  },
  "description": "IBM InfoSphere MDM Reference Data Management\u63d0\u4f9b\u8de8\u4e0d\u540c\u4e1a\u52a1\u9886\u57df\u5728\u4fe1\u606f\u4e16\u754c\u4e2d\u65e0\u7f1d\u7ba1\u7406\u53c2\u8003\u6570\u636e\u6240\u5fc5\u4e0d\u53ef\u5c11\u7684\u4e00\u7cfb\u5217\u529f\u80fd\uff0c\u5176\u4e2d\u5305\u62ec\u5168\u9762\u7684\u7a0b\u5e8f \u7f16\u5199\u548c\u751f\u547d\u5468\u671f\u7ba1\u7406\u529f\u80fd\u3001\u7248\u672c\u63a7\u5236\u6a21\u578b\u3001\u57fa\u4e8e\u89d2\u8272\u7684\u5b89\u5168\u6027\u548c\u8bbf\u95ee\u63a7\u5236\u3002\r\n\r\nIBM InfoSphere MDM Reference Data Management\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002",
  "discovererName": "IBM",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21698255",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-02500",
  "openTime": "2015-04-17",
  "patchDescription": "IBM InfoSphere MDM Reference Data Management\u63d0\u4f9b\u8de8\u4e0d\u540c\u4e1a\u52a1\u9886\u57df\u5728\u4fe1\u606f\u4e16\u754c\u4e2d\u65e0\u7f1d\u7ba1\u7406\u53c2\u8003\u6570\u636e\u6240\u5fc5\u4e0d\u53ef\u5c11\u7684\u4e00\u7cfb\u5217\u529f\u80fd\uff0c\u5176\u4e2d\u5305\u62ec\u5168\u9762\u7684\u7a0b\u5e8f \u7f16\u5199\u548c\u751f\u547d\u5468\u671f\u7ba1\u7406\u529f\u80fd\u3001\u7248\u672c\u63a7\u5236\u6a21\u578b\u3001\u57fa\u4e8e\u89d2\u8272\u7684\u5b89\u5168\u6027\u548c\u8bbf\u95ee\u63a7\u5236\u3002\r\n\r\nIBM InfoSphere MDM Reference Data Management\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM InfoSphere MDM Reference Data Management\u5b58\u5728\u672a\u660e\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM InfoSphere MDM Reference Data Management Hub 11.4.0.0"
  },
  "referenceLink": "http://www-01.ibm.com/support/docview.wss?uid=swg21698255",
  "serverity": "\u4e2d",
  "submitTime": "2015-04-16",
  "title": "IBM InfoSphere MDM Reference Data Management\u5b58\u5728\u672a\u660e\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2015-1910 (GCVE-0-2015-1910)

Vulnerability from cvelistv5 – Published: 2015-05-25 00:00 – Updated: 2024-08-06 04:54

Summary

Cross-site scripting (XSS) vulnerability in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, and 11.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

http://www-01.ibm.com/support/docview.wss?uid=swg…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:54:16.533Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21700741"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-04-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, and 11.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-05-25T00:57:00",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21700741"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2015-1910",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, and 11.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21700741",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21700741"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2015-1910",
    "datePublished": "2015-05-25T00:00:00",
    "dateReserved": "2015-02-19T00:00:00",
    "dateUpdated": "2024-08-06T04:54:16.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-02500

CVE-2015-1910 (GCVE-0-2015-1910)

Tags

Sightings

Nomenclature