CVE-2011-0486

Vulnerability

A cross-site scripting (XSS) vulnerability exists in cognos.cgi, part of IBM Cognos 8 Business Intelligence (BI) version 8.4.1 prior to Fix Pack 1 (FP1). The flaw resides in the handling of the pathinfo parameter, which is echoed back without proper sanitization, allowing injection of arbitrary HTML and JavaScript. Affected versions are all releases of IBM Cognos 8 BI 8.4.1 before the application of FP1 [1].

Exploitation

Exploitation does not require authentication as cognos.cgi is publicly accessible. An attacker can craft a malicious URL containing the pathinfo parameter with embedded script code and trick a victim into clicking it (e.g., via email or a phishing link). No special network position or user interaction beyond clicking the link is needed. The reflected XSS executes in the context of the victim's session with the application.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the IBM Cognos 8 BI domain. This leads to potential session hijacking, defacement, or theft of sensitive data displayed by the application. The attacker gains the same access privileges as the targeted user.

Mitigation

IBM released Fix Pack 1 (FP1) for Cognos 8 BI 8.4.1, which addresses this vulnerability [1]. All users should upgrade to 8.4.1 FP1 or later. No workarounds are documented. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.