News
Abstract
IBM Cognos Analytics 11.0.6 Interim Fix 2 provides important product corrections to address security vulnerabilities found in the product.
IBM Cognos Analytics 11.0 is vulnerable to a number of cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
IBM Cognos Analytics 11.0 contains a vulnerability whereby a user who does not have the 'Show Detailed Errors' permission granted can still see the detailed error message in the Dashboard, including internal software details.
These have been addressed in Cognos Analytics 11.0.6 Interim Fix 2.
Content
Vulnerability Details
CVEID: CVE-2017-1485
DESCRIPTION: IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128623 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-1535
DESCRIPTION: IBM Cognos Analytics could allow a user to see detailed error messages in the Cognos Analytics Dashboard, including internal software details, despite not having permissions to do so.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130677 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
The recommended solution is to download IBM Cognos Analytics 11.0.0.6 as soon as practical
Downloading IBM Cognos Analytics 11.0.0.6 Interim Fix 2
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22008264