Thursday, 29 June 2017
A vulnerability has been found in IBM WebSphere Portal 8.5/9.0 and classified as problematic. Affected by this vulnerability is an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The weakness was released 06/28/2017 as swg22004348 as confirmed security bulletin (Website). The advisory is shared for download at www-01.ibm.com. This vulnerability is known as CVE-2017-1217. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/29/2017).
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1038797).
CVSSv3
VulDB Base Score: 5.3VulDB Temp Score: 5.1
VulDB Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
VulDB Reliability: High
Vendor Base Score (IBM): 6.1
Vendor Vector (IBM): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
CVSSv2
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
VulDB Temp Score: 3.7 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High
CPE
- cpe:/a:ibm:websphere_portal:8.5
- cpe:/a:ibm:websphere_portal:9.0
Exploiting
Class: Cross site scripting (CWE-80)Local: No
Remote: Yes
Availability: No
Price Prediction: steady
Current Price Estimation:
| 0-Day | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
|---|---|---|---|---|
| Today | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
Countermeasures
Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Timeline
06/28/2017 Advisory disclosed06/28/2017 Countermeasure disclosed
06/28/2017 SecurityTracker entry created
06/29/2017 VulDB entry created
06/29/2017 VulDB last update
Sources
Advisory: swg22004348Status: Confirmed
CVE: CVE-2017-1217 (mitre.org) (nvd.nist.org) (cvedetails.com)
Subscribe to:
Post Comments (Atom)
Sectoon
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...
Blog archive
Top certifications to plan in 2018 ?
0 comments:
Post a comment