CVE-2021-29852

Vulnerability

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting (XSS) in the Web UI. The vulnerability allows users with low privileges to embed arbitrary JavaScript code into the interface. This affects IBM Planning Analytics Local v2.0 prior to Planning Analytics Workspace Release 67 [1]. The code path is reachable when an authenticated user submits crafted input that is not properly sanitized.

Exploitation

An attacker with low-privileged access to the Planning Analytics Workspace can inject malicious JavaScript into the Web UI. To trigger the exploit, a victim user must interact with the crafted content (e.g., click a link or view a page) [1]. The attacker does not require any special network position beyond being an authenticated user.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to disclosure of credentials or other sensitive information within the trusted session [1]. The scope of impact is limited to the victim's browser session and the data accessible to that user.

Mitigation

The vulnerability is fixed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 67 [1]. Users should upgrade to this release or later. No workarounds are documented in the available reference. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.