CVE-2021-39024

Vulnerability

IBM Guardium Data Encryption (GDE) versions 4.0.0.0 and 5.0.0.0 (specifically the Guardium Data Encryption Server component, identified as CipherTrust Manager CM 2.6) contain a cross-site scripting (XSS) vulnerability in the Web UI. This allows an authenticated user to embed arbitrary JavaScript code into the interface, which is then executed in the context of other users' sessions [1]. The vulnerability is classified as stored/persistent XSS.

Exploitation

An attacker must have high-privilege (e.g., administrative) access to the Web UI. With that access, the attacker can inject malicious JavaScript through a vulnerable input field (such as configuration or naming fields). When another user (including lower-privileged users) views the affected page, the injected script executes in their browser within the trusted session of the application [1]. No additional user interaction is required beyond viewing the modified page.

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's session. This can result in disclosure of sensitive information, including credentials, as the script can access cookies, session tokens, or other data visible to the application. The attack impacts confidentiality and integrity with low severity (CVSS 4.8) [1]. The attacker can potentially hijack authenticated sessions or elicit further actions as the victim user.

Mitigation

IBM recommends applying the fix available through the Thales customer portal (the product is now under Thales group). Customers must log in to the Thales portal to obtain the updated version. No workarounds are provided, and no KEV listing is known [1].