CVE-2019-4120

Vulnerability

IBM Cloud Private versions 3.1.1 and 3.1.2 are vulnerable to reflected cross-site scripting (XSS). The vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering intended functionality. Affected components include platform-ui, auth-idp, and icp-management-ingress. Earlier versions 2.1.x and 3.1.0 are also listed as affected in the advisory [1].

Exploitation

An attacker with low-privilege authenticated access can craft a malicious link containing JavaScript. If a victim user clicks the link within a trusted session, the injected script executes in the context of the victim's browser. The attack vector is network-based (AV:N) with low attack complexity and requires user interaction [1].

Impact

Successful exploitation leads to potential credentials disclosure within the trusted session. The CVSS v3.0 score is 5.4 (medium), with impacts to confidentiality and integrity (C:L/I:L). The scope is changed (S:C), meaning the script can affect resources beyond the original vulnerable component [1].

Mitigation

For IBM Cloud Private 3.1.2 and 3.1.1, apply the patches for platform-ui, auth-idp, and icp-management-ingress as detailed in the security bulletin [1]. For versions 2.1.x and 3.1.0, IBM recommends upgrading to version 3.2 [1].