CVE-2016-5974

Vulnerability

The vulnerability is a cross-site scripting (XSS) flaw in the Web UI of IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance versions 2.x prior to 2.0.2 Fix Pack 8. An authenticated user can inject arbitrary web script or HTML via an embedded string, which is then rendered in the Web UI. The issue is tracked as CVE-2016-5974 with a CVSS v3 base score of 5.4 (Medium) [1].

Exploitation

An attacker must have valid authentication to the ISPIM Virtual Appliance. The attacker crafts a malicious string containing JavaScript or HTML and embeds it in a field that is later displayed in the Web UI. When other authenticated users view the affected page, the injected script executes in their browser within the security context of the application. No additional user interaction beyond viewing the page is required for the victim [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to disclosure of sensitive session information, such as credentials or tokens, within the trusted session. The impact is limited to low confidentiality and integrity, with a changed scope (cross-site scripting) [1].

Mitigation

IBM released Fix Pack 8 (2.0.2 FP8) to address this vulnerability. Users should upgrade to version 2.0.2 FP8 or later. No workarounds are documented in the available reference. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].