CVE-2021-20477

Vulnerability

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting (XSS) in the Web UI. An authenticated user can embed arbitrary JavaScript code, which is then executed in the context of other users' sessions. This affects IBM Planning Analytics 2.0 as per the advisory [1]. The vulnerability is classified as CVE-2021-20477 with a CVSS score of 5.4 (Medium).

Exploitation

An attacker must have a valid user account with at least low privileges to inject the malicious script. The attacker embeds JavaScript in a field or input that is later rendered in the Web UI without proper sanitization. When another user views the affected page, the script executes in their browser within the trusted session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to disclosure of sensitive information, including credentials, by capturing form submissions or session tokens. The impact is limited to the scope of the user's privileges and the functionality of the Planning Analytics Workspace.

Mitigation

IBM has addressed this vulnerability in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 65 [1]. Users should upgrade to this or a later release. No workarounds are provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.