CVE-2021-20368

Vulnerability

IBM Cloud Pak for Applications version 4.3 contains a cross-site scripting (XSS) vulnerability in its Web UI. This flaw allows users with low privileges to embed arbitrary JavaScript code into the interface, which can be triggered when another user views the affected page. The vulnerability is present in all versions of IBM Cloud Pak for Applications prior to 4.3.1 [1].

Exploitation

An attacker with low-privileged access to the Web UI can inject malicious JavaScript into input fields or other user-modifiable content. A victim user must then interact with the manipulated page (e.g., by viewing or clicking on it) for the script to execute. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network access, low complexity, low privileges required, and user interaction needed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to disclosure of sensitive information such as session credentials. This could compromise the integrity and confidentiality of the session, as the attacker may steal credentials or perform actions on behalf of the user. The impact is limited to low confidentiality and integrity loss, with a scope change indicating that the vulnerable component impacts resources beyond its initial authorization [1].

Mitigation

IBM released Cloud Pak for Applications version 4.3.1 on 12 July 2021 to address this vulnerability. No workarounds or mitigations are provided; upgrading to the fixed version is the only remedy. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].