IBM Support

Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559)

Security Bulletin


Summary

IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability

Vulnerability Details

CVEID:   CVE-2021-20559
DESCRIPTION:   IBM Smart Cloud Control Desk is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199228 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Control Desk (ICD). Older versions of IBM Control Desk (ICD) may be impacted. The recommended action is to update to the latest version.

IBM Control Desk core product versions affected:

Affected Product(s)Version(s)
IBM Control DeskIBM Control Desk 7.6.1.2 and 7.6.1.3

* To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Product Coexistence Matrix for a list of supported product combinations.


Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For IBM Control Desk 7.6.1.2 and 7.6.1.3 :


VRM

Fix Pack, Feature Pack, or Interim Fix/ LA Fix

Download

7.6.1.3IBM Control Desk  7.6.1.3 Feature Pack:
7.6.1.3-TIV-ICD-LA0004 or latest Interim Fix available		FixCentral
7.6.1.2IBM Control Desk  7.6.1.2 Feature Pack:
7.6.1.2-TIV-ICD-LA0006 or latest Interim Fix available		FixCentral


Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This vulnerability was reported to IBM by Aleksandra Majsakowska of TAURON Polska Energia S.A.

Change History

05 Apr 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZRHJ","label":"IBM Control Desk on Cloud"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}],"Version":"IBM Control Desk 7.6.1.2 and 7.6.1.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
07 May 2021

UID

ibm16450759

Page Feedback