Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 03.29.17]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-9737 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.
CVE-2017-1153 The IBM TRIRIGA Report Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.
CVE-2017-1171 The IBM TRIRIGA Application Platform contains a vulnerability that could allow authenticated users to execute application actions to which they do not have access.
CVE-2017-1180 The IBM TRIRIGA Document Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.

[Admin: This post is related to the 05.17.16 post and the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 06.15.16 to add CVE-2016-2883 (2).]

[Updated 06.10.16 to add CVE-2016-2882.]

[Updated 05.31.16 to add CVE-2016-2883 (1).]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-0362 The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
CVE-2016-0374 The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
CVE-2016-0386 The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
CVE-2016-0387 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2016-2882 The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
(1) CVE-2016-2883

(2) CVE-2016-2883

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


For convenience, here are the some recent CVE IDs and their related APARs.

CVE ID Summary APAR
CVE-2016-0300 The IBM TRIRIGA Application Platform has a security flaw that could grant unauthenticated access into all JSP pages within the application structure under certain circumstances with the right criteria, which may allow for subsequent probing and exploitation.
CVE-2016-0312 The IBM TRIRIGA Application Platform has a security flaw that grants unauthenticated access to Document Manager in IBM TRIRIGA Application Platform in versions prior to 3.3.2 only. Anyone running on IBM TRIRIGA Application Platform 3.3.2 or higher, is not at impacted by this vulnerability.
CVE-2016-0342 The IBM TRIRIGA Application Platform grants the ability to access to read or modify a report that the user does not have privileges for. IV82437
CVE-2016-0343 IBM TRIRIGA could allow an authenticated user to obtain sensitive information displayed in error messages. IV82433
CVE-2016-0344 The IBM TRIRIGA Application Platform is vulnerable to a cross-site scripting (XSS) attack within My Reports. IV82435
CVE-2016-0345 The IBM TRIRIGA Application Platform no longer discloses server file path information when BIRT reports are rendered. IV82438
CVE-2016-0346 Unauthenticated requests can be made to a vulnerable web application, which then performs unauthorized action on behalf of the attacker. IV82436

[Admin: To see other related posts, use the Vulnerability tag.]

Continue reading