Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

IBM Patches XSS Flaws in InfoSphere BigInsights

IBM has released patches for two cross-site scripting (XSS) vulnerabilities affecting the company’s InfoSphere BigInsights analytics platform.

IBM has released patches for two cross-site scripting (XSS) vulnerabilities affecting the company’s InfoSphere BigInsights analytics platform.

Fortinet researcher Honggang Ren has identified a couple of stored XSS flaws in the web console of InfoSphere BigInsights, a software platform that allows organizations to discover, analyze and visualize data from disparate sources.

One of the flaws, tracked as CVE-2016-2924, affects the “name” field in the “Add Alert Type” window of the “User-Defined Alerts” feature in the InfoSphere BigInsights user interface. The second vulnerability, identified as CVE-2016-2992, affects the “SQL Editor” feature.

IBM BigInsights XSS

The vulnerabilities allow an attacker to use a guest account to inject malicious JavaScript code into the system. The code is executed when an administrator performs various operations on the pages containing the code. An attacker could leverage the flaws to obtain authentication data from the targeted admin.

“IBM Infosphere BigInsights is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked,” IBM and Fortinet said in their advisories.

The flaws affect IBM BigInsights 4.1 and 4.2. The vendor has classified them as “medium severity,” but their exploitability is “high.”

This was not the first time Ren identified XSS vulnerabilities in IBM products. In October, the expert reported finding a similar security hole in IBM Rational Collaborative Lifecycle Management (CLM).

IBM also informed customers last week of vulnerabilities introduced by various third-party components. For instance, cURL, NTP and Python flaws affect PowerKVM, and a vulnerability in GnuPG impacts IBM Security Network Protection.

Related: Researchers Bypass Patch for Old IBM Java Flaw

Related: IBM Products Vulnerable to ShellShock

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...