IV82435: Cross-site scripting (XSS) issues


A cross-site scripting (XSS) attack occurs when an attacker uses a web application to inject malicious code in the form of a client-side script (arbitrary JavaScript) to an end user. Here’s one example of many throughout the application:

  • Attack value: <img src=’x’ onerror=’alert(“7”)’>

Steps to replicate:

  • 1. Login to the application.
  • 2. Navigate to the “My Reports” tab.
  • 3. Click on the “New” button.
  • 4. Apply the attack value in the “Header (Title)” text box.
  • 5. Fill the other required details and click on the “Save” button.
  • 6. Click on the “Run Report” button.

Again, this specific case is only with “My Reports”. We’ve replicated this issue in many locations throughout the entire site.

A cross-site scripting security vulnerability was resolved in the Report Manager (or My Reports).

Continue reading

2 thoughts on “IV82435: Cross-site scripting (XSS) issues

  1. Pingback: Having an issue with an empty BIRT external report with no data | TRIRIGAFEEDIA

  2. Pingback: Security: IBM TRIRIGA Application Platform vulnerabilities & fixes | TRIRIGAFEEDIA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s