IBM Tivoli Access Manager For E-Business Cross-Site Scripting Vulnerabilities
11 Feb. 2015
Cross-site scripting (XSS) vulnerability in the Local Management Interface in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
* IBM Security Access Manager for Web before 8.0.0-ISS-WGA-FP0005
* Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005
* IBM Security Access Manager for Web after 8.0.0-ISS-WGA-FP0005
* Security Access Manager for Mobile after 8.0.0-ISS-ISAM-FP0005
IBM Security Access Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.