CVE-2019-4134

Vulnerability

IBM Planning Analytics 2.0 (Local Release 43 and earlier) is vulnerable to cross-site scripting (XSS) in the Administration Web UI. The flaw allows a user to embed arbitrary JavaScript code into the interface, altering intended functionality. The vulnerability is identified as CVE-2019-4134 with a CVSS v3 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [1].

Exploitation

An attacker must first have a valid user account in Planning Analytics, but no special privileges beyond that are required. The attacker crafts a URL or input containing malicious JavaScript and presents it to an authenticated victim. If the victim clicks or interacts with the crafted content, the embedded script executes within the context of the Web UI. The attack requires user interaction (e.g., clicking a link) and is exploitable over the network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the trusted session of the Planning Analytics Web UI. This can lead to credential disclosure (e.g., session tokens, passwords) and unauthorized actions on behalf of the victim. The confidentiality and integrity of the session are partially compromised [1].

Mitigation

IBM Planning Analytics Local Release 43 (published June 2019) includes the fix for this vulnerability. IBM recommends applying the fix as soon as practical. No workarounds or mitigations were provided by the vendor [1].