IBM has released patches for two cross-site scripting (XSS) vulnerabilities affecting the company’s InfoSphere BigInsights analytics platform.
Fortinet researcher Honggang Ren has identified a couple of stored XSS flaws in the web console of InfoSphere BigInsights, a software platform that allows organizations to discover, analyze and visualize data from disparate sources.
One of the flaws, tracked as CVE-2016-2924, affects the “name” field in the “Add Alert Type” window of the “User-Defined Alerts” feature in the InfoSphere BigInsights user interface. The second vulnerability, identified as CVE-2016-2992, affects the “SQL Editor” feature.
The vulnerabilities allow an attacker to use a guest account to inject malicious JavaScript code into the system. The code is executed when an administrator performs various operations on the pages containing the code. An attacker could leverage the flaws to obtain authentication data from the targeted admin.
“IBM Infosphere BigInsights is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked,” IBM and Fortinet said in their advisories.
The flaws affect IBM BigInsights 4.1 and 4.2. The vendor has classified them as “medium severity,” but their exploitability is “high.”
This was not the first time Ren identified XSS vulnerabilities in IBM products. In October, the expert reported finding a similar security hole in IBM Rational Collaborative Lifecycle Management (CLM).
IBM also informed customers last week of vulnerabilities introduced by various third-party components. For instance, cURL, NTP and Python flaws affect PowerKVM, and a vulnerability in GnuPG impacts IBM Security Network Protection.
