CVE-2021-39047
Description
IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214349.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Planning Analytics and Cognos Analytics are vulnerable to stored cross-site scripting, allowing credential disclosure via crafted JavaScript in the Web UI.
Vulnerability
IBM Planning Analytics 2.0 and IBM Cognos Analytics versions 11.2.1, 11.2.0, and 11.1.7 are affected by a cross-site scripting (XSS) vulnerability. The flaw resides in the Web UI and allows users to embed arbitrary JavaScript code, which is then executed in the context of other users' sessions when they view the crafted content [1], [2].
Exploitation
An attacker with authenticated access to the affected product can inject malicious JavaScript code into the Web UI. The injected script will be executed in the browsers of other users who visit the same part of the application, typically requiring no additional user interaction from the victim beyond viewing the tainted page [1]. The vulnerability can be exploited remotely over the network, as indicated by the CVSS network vector [2].
Impact
Successful exploitation leads to the disclosure of credentials or other sensitive information within a trusted session. The execution of arbitrary JavaScript in the victim's browser can alter intended functionality, allow session hijacking, or redirect the user to malicious sites [1]. The CVSS score of 6.1 (Medium) reflects a low impact on confidentiality and integrity, with no direct impact on availability [2].
Mitigation
IBM has released a fix for IBM Planning Analytics Workspace 2.0.74 (available on 4 November 2021) and for IBM Cognos Analytics (versions 11.1.7 FP3, 11.2.0 FP2, and 11.2.1 FP2). Users should upgrade to the latest versions as detailed in the vendor's security bulletins [1], [2]. No workarounds have been provided for unpatched versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: 2.0
<=11.2.1, >=11.1.7+ 1 more
- (no CPE)range: <=11.2.1, >=11.1.7
- (no CPE)range: 11.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- exchange.xforce.ibmcloud.com/vulnerabilities/214349mitrevdb-entryx_refsource_XF
- security.netapp.com/advisory/ntap-20220729-0002/mitrex_refsource_CONFIRM
- www.ibm.com/support/pages/node/6565099mitrex_refsource_CONFIRM
- www.ibm.com/support/pages/node/6597241mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.