VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 13, 2012· Updated Apr 29, 2026

CVE-2011-1395

CVE-2011-1395

Description

Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the controlid parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in IBM Maximo Asset Management imicon.jsp allows remote attackers to inject arbitrary web script or HTML via the controlid parameter.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the imicon.jsp page of IBM Maximo Asset Management and Asset Management Essentials. The controlid parameter is not properly sanitized before being reflected in the server response, allowing injection of arbitrary web script or HTML. Affected versions include Maximo Asset Management and Asset Management Essentials V6.2, V7.1, and V7.5 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a controlid parameter with embedded script code. The victim must be tricked into clicking the link (e.g., via email or another web page). No authentication is required, and the attacker does not need any special network position beyond the ability to deliver the link to the victim [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser within the security context of the affected Maximo application. This can result in session theft, application defacement, or redirection to malicious sites. The CVSS base score for CVE-2011-1395 is 4.3 (Medium) [1].

Mitigation

IBM addressed this vulnerability in a security bulletin released in 2012. Administrators should upgrade to the appropriate fix levels as specified in the IBM advisory for Maximo Asset Management V6.2, V7.1, and V7.5 [1]. No workarounds are documented in the available references.

References
  1. Security Vulnerabilities Addressed in Asset and Service Mgmt

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • IBM/Maximo Asset Management4 versions
    cpe:2.3:a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*
    • (no CPE)range: 6.2, 7.1, 7.5
  • IBM/Maximo Asset Management Essentials4 versions
    cpe:2.3:a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:*
    • (no CPE)range: 6.2, 7.1, 7.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.