IV82435: Cross-site scripting (XSS) issues

A cross-site scripting (XSS) attack occurs when an attacker uses a web application to inject malicious code in the form of a client-side script (arbitrary JavaScript) to an end user. Here’s one example of many throughout the application:

  • Attack value: <img src=’x’ onerror=’alert(“7”)’>

Steps to replicate:

  • 1. Login to the application.
  • 2. Navigate to the “My Reports” tab.
  • 3. Click on the “New” button.
  • 4. Apply the attack value in the “Header (Title)” text box.
  • 5. Fill the other required details and click on the “Save” button.
  • 6. Click on the “Run Report” button.

Again, this specific case is only with “My Reports”. We’ve replicated this issue in many locations throughout the entire site.

A cross-site scripting security vulnerability was resolved in the Report Manager (or My Reports).

Continue reading

2 thoughts on “IV82435: Cross-site scripting (XSS) issues

  1. Pingback: Having an issue with an empty BIRT external report with no data | TRIRIGAFEEDIA

  2. Pingback: Security: IBM TRIRIGA Application Platform vulnerabilities & fixes | TRIRIGAFEEDIA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.