CVE-2020-4289

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 do not set the HttpOnly flag on session cookies [1]. This cookie attribute is intended to prevent client-side scripts from accessing the cookie data. The vulnerability exists across all listed versions and is addressed in version 1.0.6 [1].

Exploitation

An attacker with the ability to execute a cross-site scripting (XSS) or other client-side script in the context of the victim's session could read the session cookie [1]. No authentication or special network position is required beyond the ability to inject script into a page served by ISIQ. The attack does not require user interaction beyond the user loading the malicious content.

Impact

Successful exploitation allows the attacker to obtain sensitive information from the session cookie [1]. The impact is limited to information disclosure (confidentiality) with a low confidentiality impact per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [1]. The attacker does not gain direct write or execution privileges.

Mitigation

IBM released ISIQ version 1.0.6 which sets the HttpOnly flag on session cookies [1]. All prior versions (1.0.0 through 1.0.5) are vulnerable. No workarounds are provided [1]. The advisory was published on 06 April 2020 [1]. There is no indication this CVE is listed on the CISA KEV.