CVE-2021-20366

Vulnerability

IBM Cloud Pak for Applications version 4.3 is vulnerable to cross-site scripting (XSS) due to improper input validation in the Web UI. An attacker with low-privileged authenticated access can embed arbitrary JavaScript code through the application's interface [1]. The vulnerability affects all deployments of IBM Cloud Pak for Applications v4.3 and is fixed in v4.3.1 [1].

Exploitation

An attacker must have a valid low-privileged user account on the IBM Cloud Pak for Applications instance. The attack vector is network-based (AV:N) and requires user interaction, as the injected script executes in the context of another user's trusted session [1]. The attacker crafts a malicious payload, submits it via the vulnerable input field, and the script is later rendered when a victim user (with higher privileges) views the affected page.

Impact

A successful exploit allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the Web UI. This can lead to alteration of intended functionality, disclosure of credentials or session tokens, and unauthorized actions on behalf of the victim. The CVSS score of 5.4 (Medium) reflects the limited scope (changed) and low impact on confidentiality and integrity [1].

Mitigation

IBM released fix version 4.3.1 which remediates the input validation vulnerability [1]. No workarounds or mitigations are provided. Apply the update to all affected deployments of IBM Cloud Pak for Applications v4.3. This issue is not listed on the CISA Known Exploited Vulnerabilities catalog.