IBM CICS TX cross-site scripting

Vulnerability

IBM CICS TX Advanced and Standard version 11.1 contain a cross-site scripting (XSS) vulnerability in the Web UI. This vulnerability allows users to embed arbitrary JavaScript code, which can alter the intended functionality of the Web UI. The issue affects IBM CICS TX Advanced 11.1 and all versions of IBM CICS TX Standard (v11.1) as noted in the advisory [1], [2].

Exploitation

An attacker requires low-privileged access to the Web UI and must convince a user to interact with a crafted link or content. The attack vector is network-based, requires low complexity, and necessitates user interaction. The attacker can inject malicious script into the web interface, which then executes in the context of the victim's session [1], [2].

Impact

Successful exploitation could lead to credential disclosure within a trusted session. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates a medium severity (base score 5.4) with scope change, limited to low confidentiality and integrity impact, and no availability impact [1], [2].

Mitigation

IBM released interim fixes for both products as of 31 October 2022. Remediation is available for IBM CICS TX Advanced and Standard via defect 127919. IBM states that no workarounds or mitigations are available; applying the fix is required [1], [2].