IBM CICS TX information disclosure

Vulnerability

IBM CICS TX versions 11.1 (both Standard and Advanced) fail to neutralize or incorrectly neutralize web scripting syntax in HTTP headers that can be processed by web browser components [1][2]. This is a reflected cross-site scripting (XSS) issue in the HTTP response header handling [1][2].

Exploitation

An attacker can craft a malicious link or script payload that, when visited by a user via a web browser, results in the execution of JavaScript within the user's session [1][2]. The attacker does not require authentication, but the attack requires user interaction (clicking a crafted link or visiting a malicious page) [1][2]. The attack vector is network-based with a CVSS vector of AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [1][2].

Impact

Successful exploitation leads to limited information disclosure (confidentiality impact: Low) as the attacker can read browser-accessible data, such as session tokens or cookies, within the targeted user's session [1][2]. There is no integrity or availability impact per the CVSS score [1][2]. The scope remains unchanged (S:U), meaning the attacker cannot pivot to other resources [1][2].

Mitigation

IBM released fixes for both affected products on 31 October 2022 [1][2]. For IBM CICS TX Standard version 11.1, a download fix is available for defect 127920 [2]; for IBM CICS TX Advanced version 11.1, a download fix is available for the same defect [1]. No workarounds or mitigations were provided [1][2].