CVE-2014-0870
Description
Multiple cross-site scripting (XSS) vulnerabilities in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to inject arbitrary web script or HTML via (1) the Message parameter to rcore6/main/showerror.jsp, (2) the ButtonsetClass parameter to rcore6/main/buttonset.jsp, (3) the MBName parameter to rcore6/frameset.jsp, (4) the Init parameter to algopds/rcore6/main/browse.jsp, or the (5) Name, (6) StoreName, or (7) STYLESHEET parameter to algopds/rcore6/main/ibrowseheader.jsp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in IBM Algo Credit Limits RICOS 4.5.0–4.7.0 allow remote attackers to inject arbitrary web script or HTML via several parameters.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in the RICOS component of IBM Algo Credit Limits (ACLM) versions 4.5.0 through 4.7.0 before 4.7.0.03 FP5. The flaws are located in several JSP pages where user-supplied input is not properly sanitized before being rendered. The affected parameters include the Message parameter in rcore6/main/showerror.jsp, the ButtonsetClass parameter in rcore6/main/buttonset.jsp, the MBName parameter in rcore6/frameset.jsp, the Init parameter in algopds/rcore6/main/browse.jsp, and the Name, StoreName, or STYLESHEET parameters in algopds/rcore6/main/ibrowseheader.jsp [1][2].
Exploitation
An unauthenticated remote attacker can exploit these vulnerabilities by crafting a malicious URL or form submission containing specially crafted JavaScript or HTML. No special user privileges are required beyond the ability to send HTTP requests to the affected web application. The attacker does not need to be authenticated, as the vulnerable endpoints are accessible without a valid session [1].
Impact
Successful exploitation allows the attacker to inject and execute arbitrary web script or HTML in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the web application's data [1][2].
Mitigation
IBM has released fix pack 4.7.0.03 FP5 to address these issues. Users should upgrade to this version or later as soon as possible. If immediate patching is not feasible, administrators should restrict network access to the RICOS web application to trusted users and networks as a temporary workaround [2]. No KEV listing was found for this CVE.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:ibm:algo_credit_limits:4.5.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:ibm:algo_credit_limits:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:algo_credit_limits:4.7.0:*:*:*:*:*:*:*
- (no CPE)range: >=4.5.0, <4.7.0.03 FP5
- cpe:2.3:a:ibm:algorithmics:-:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140630-0_IBM_Algorithmics_RICOS_multiple_vulnerabilities_v10.txtnvdExploit
- www-01.ibm.com/support/docview.wssnvdVendor Advisory
- packetstormsecurity.com/files/127304/IBM-Algorithmics-RICOS-Disclosure-XSS-CSRF.htmlnvd
- seclists.org/fulldisclosure/2014/Jun/173nvd
- secunia.com/advisories/59296nvd
- www.securityfocus.com/archive/1/532598/100/0/threadednvd
- exchange.xforce.ibmcloud.com/vulnerabilities/90944nvd
News mentions
0No linked articles in our index yet.