Unrated severityNVD Advisory· Published Mar 13, 2012· Updated Apr 29, 2026

CVE-2011-1396

Description

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the reportType parameter to an unspecified component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in IBM Maximo Asset Management allows remote attackers to inject arbitrary web script via the reportType parameter.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in IBM Maximo Asset Management and Asset Management Essentials versions 6.2, 7.1, and 7.5. The flaw resides in an unspecified component that processes the reportType parameter. An attacker can inject arbitrary web script or HTML into the parameter, which is then reflected back to the user without proper sanitization [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the reportType parameter with embedded script code. The victim must be tricked into clicking the crafted link, typically via phishing or social engineering. No authentication is required to trigger the reflection, but user interaction is necessary for the script to execute in the victim's browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of the application interface, or theft of sensitive information displayed on the page. The CVSS base score is 4.3 (Medium), indicating a moderate risk [1].

Mitigation

IBM has addressed this vulnerability in a security bulletin (APAR IV09190). Users should apply the recommended fixes by upgrading to the latest patched versions of Maximo Asset Management and Asset Management Essentials as specified in the bulletin. No workarounds are documented; upgrading is the only reliable mitigation [1].

References

Security Vulnerabilities Addressed in Asset and Service Mgmt

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Maximo Asset Management4 versions
cpe:2.3:a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*
- (no CPE)range: 6.2, 7.1, 7.5
IBM/Maximo Asset Management Essentials3 versions
cpe:2.3:a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:ibm:maximo_asset_management_essentials:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ibm.com/support/docview.wssnvdVendor Advisory
secunia.com/advisories/48299nvd
www-01.ibm.com/support/docview.wssnvd
www.securityfocus.com/bid/52333nvd
exchange.xforce.ibmcloud.com/vulnerabilities/71999nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000