CVE-2019-4217

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, and 1.0.2 are vulnerable to clickjacking. The web application fails to set proper X-Frame-Options headers or use frame-busting scripts, allowing an attacker to embed the ISIQ interface into a malicious frame or object. This affects all deployments of the affected versions, regardless of configuration [1].

Exploitation

An attacker must host a malicious website that embeds the legitimate ISIQ page in a transparent or hidden iframe and trick a victim into visiting that site (e.g., via phishing). The victim must be logged into ISIQ at the time. No authentication on the attacker's part is needed beyond crafting the malicious page. The attacker can then overlay deceptive UI elements to hijack the victim's clicks on the hidden ISIQ page, potentially triggering actions the victim did not intend [1].

Impact

Successful exploitation results in the attacker being able to hijack click actions performed by the victim within the context of the ISIQ session. Depending on the application's functionality, this could lead to unintended data disclosure (e.g., submitting forms, changing settings) with low confidentiality and integrity impact, as per CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The attacker does not gain direct access but can trick the victim into performing actions on their behalf [1].

Mitigation

The vulnerability is fixed in IBM Security Information Queue version 1.0.3 and later. IBM recommends upgrading to the latest version from the Docker Hub repository ibmcorp/security_information_queue. There is no workaround listed for versions 1.0.0–1.0.2 other than upgrading. No known KEV listing exists [1].