CVE-2009-1334
Description
Cross-site scripting (XSS) vulnerability in login/FilepathLogin.html in IBM Tivoli Continuous Data Protection (CDP) for Files 3.1.4.0 allows remote attackers to inject arbitrary web script or HTML via the reason parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in IBM Tivoli CDP for Files 3.1.4.0 allows remote attackers to inject arbitrary web script via the 'reason' parameter in login/FilepathLogin.html.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the login/FilepathLogin.html component of IBM Tivoli Continuous Data Protection (CDP) for Files version 3.1.4.0. The reason parameter is not properly sanitized before being reflected back to the user, allowing injection of arbitrary HTML or JavaScript [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload in the reason parameter. The target must be tricked into clicking the crafted link. No authentication or special network position is required; the attack is performed over HTTP against the vulnerable application [1].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page [1].
Mitigation
The available references do not specify a fixed version or official patch. The vendor may have provided a fix in a later release; users should consult IBM Tivoli CDP for Files update history. Until a patched version is applied, administrators should restrict access to the login interface or implement a web application firewall rule to filter the reason parameter [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:ibm:tivoli_continuous_data_protection_for_files:3.1.4.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- securitytracker.com/idnvdExploit
- www.insight-tech.org/index.phpnvdExploitURL Repurposed
- www.osvdb.org/53651nvdExploit
- www.securityfocus.com/bid/34513nvdExploit
- secunia.com/advisories/34646nvdVendor Advisory
- www.vupen.com/english/advisories/2009/1021nvdVendor Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/49872nvd
News mentions
0No linked articles in our index yet.