IBM Eclipse Help System cross-site scripting

iehs-cve20130464-xss (81060) The risk level is classified as MediumMedium Risk

Description:

IBM Eclipse Help System, as used in multiple IBM products, is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

*CVSS:

Base Score: 4.3
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: None
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 3.7
  Exploitability: High
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Cross-Site Scripting

Remedy:

Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References.

References:

  • IBM Security Bulletin 1637954: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1639856: Vulnerabilities in IBM Rational Insight┐s Help System (CVE-2013-0464, CVE-2013-0467 & CVE-2013-0599).
  • IBM Security Bulletin 1640616: IBM OmniFind Enterprise Edition and IBM Content Analytics (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1642791: IBM WebSphere Appliance Management Center, multiple security vulnerabilities in IBM Tivoli Integrated Portal.
  • IBM Security Bulletin 1646446: Security Vulnerabilities addressed in IBM Tivoli Netcool Performance Manager (CVE-2013-0464, CVE-2012-3325, CVE-2012-3325).
  • IBM Security Bulletin 1646473: IBM Content Collector - Eclipse Help System Cross Site Scripting Vulnerability (CVE-2013-0464).
  • IBM Security Bulletin 1646503: Tivoli Storage Productivity Center, multiple security vulnerabilities in IBM Tivoli Integrated Portal (CVE-2013-0464, CVE-2012-3325, CVE-2011-4858).
  • IBM Security Bulletin 1646737: Potential Security issue for SmartCloud Cost Management (CVE-2013-0464 and CVE-2012-3325).
  • IBM Security Bulletin 1649664: IBM Rational Change can be affected by vulnerabilities in the IBM Eclipse Help System (IEHS) (CVE-2013-0464 and CVE-2013-0467).
  • IBM Security Bulletin 1649711: Vulnerabilities in IBM Rational Synergy's Help System (CVE-2013-0464, CVE-2013-0467 & CVE-2013-0599).
  • IBM Security Bulletin 1650482: IBM Tivoli Key Lifecycle Manager can be affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (CVE-2013-0464, CVE-2012-3325, CVE-2011-4858).
  • IBM Security Bulletin 1651284: Tivoli Workload Dynamic Console Vulnerability exposure in Tivoli Integrated Portal component.
  • IBM Security Bulletin 1651414: Multiple security vulnerabilities in IEHS.
  • IBM Security Bulletin 1651947: Multiple IBM Eclipse Help System (IEHS) vulnerabilities used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1662870: Multiple security vulnerabilities exist in WebSphere Transformation Extender (CVE-2013-5802 CVE-2013-4002 CVE-2013-5825 CVE-2013-5372 CVE-2013-0599 CVE-2013-0464 CVE-2013-0467 CVE-2013-2962 CVE-2013-2415).
  • IBM Security Bulletin 4035098: IBM Integrated Information Core 1.5.0.1 interim fix for APAR JR46837.
  • BID-60246: IBM Eclipse Help System CVE-2013-0464 Cross Site Scripting Vulnerability
  • CVE-2013-0464: Multiple cross-site scripting (XSS) vulnerabilities in IBM Eclipse Help System (IEHS) 3.4.3 and 3.6.2, as used in IBM SPSS Data Collection 6.0, 6.0.1, and 7.0, allow remote attackers to inject arbitrary web script or HTML via a crafted URL.
  • SA53653: IBM SPSS Data Collection Eclipse Help System Weakness and Vulnerability
  • SA53776: IBM Integrated Information Core Eclipse Help System Weakness and Vulnerability
  • SA53785: IBM Rational Insight Eclipse Help System Multiple Vulnerabilities
  • SA54177: IBM Content Manager Enterprise Edition Eclipse Help System Multiple Vulnerabilities
  • SA54971: IBM Tivoli Integrated Portal Multiple Vulnerabilities
  • SA55115: IBM Tivoli Dynamic Workload Console Multiple Vulnerabilities

Platforms Affected:

  • IBM Content Analytics 2.2
  • IBM Content Analytics 2.2.0.1
  • IBM Content Analytics 2.2.0.2
  • IBM Content Analytics 2.2.0.3
  • IBM Content Analytics with Enterprise Search 3.0
  • IBM Content Analytics with Enterprise Search 3.0.0.1
  • IBM Content Analytics with Enterprise Search 3.0.0.2
  • IBM Content Collector 3.0
  • IBM Eclipse Help System
  • IBM IBM SmartCloud Cost Management 2.1.0.0
  • IBM Integrated Information Core 1.5.0.1
  • IBM License Metric Tool 7.5
  • IBM OmniFind Enterprise Edition 9.1
  • IBM OmniFind Enterprise Edition 9.1.0.1
  • IBM OmniFind Enterprise Edition 9.1.0.2
  • IBM OmniFind Enterprise Edition 9.1.0.3
  • IBM OmniFind Enterprise Edition 9.1.0.4
  • IBM Rational Change 5.3.0.5
  • IBM Rational Insight 1.0
  • IBM Rational Insight 1.0.0.1
  • IBM Rational Insight 1.0.0.2
  • IBM Rational Insight 1.0.1
  • IBM Rational Insight 1.0.1.1
  • IBM Rational Insight 1.1
  • IBM Rational Insight 1.1.1
  • IBM Rational Insight 1.1.1.1
  • IBM Rational Synergy 7.2.0.4
  • IBM SmartCloud Cost Management 7.3
  • IBM SmartCloud Cost Management 7.3.0.1
  • IBM SmartCloud Cost Management 7.3.0.2
  • IBM SmartCloud Cost Management 7.3.0.3
  • IBM SmartCloud Cost Management 7.3.0.4
  • IBM SPSS Data Collection 6.0
  • IBM SPSS Data Collection 6.0.1
  • IBM SPSS Data Collection 7.0
  • IBM Tivoli Asset Discovery for Distributed 7.5
  • IBM Tivoli Dynamic Workload Console 8.6.0.0
  • IBM Tivoli Dynamic Workload Console 8.6.0.1
  • IBM Tivoli Key Lifecycle Manager 1.0
  • IBM Tivoli Key Lifecycle Manager 2.0
  • IBM Tivoli Key Lifecycle Manager 2.0.1
  • IBM Tivoli Netcool Performance Manager 1.3.0
  • IBM Tivoli Netcool Performance Manager 1.3.1
  • IBM Tivoli Netcool Performance Manager 1.3.2
  • IBM Tivoli Storage Productivity Center 4.1.0.103
  • IBM Tivoli Storage Productivity Center 4.1.0.111
  • IBM Tivoli Storage Productivity Center 4.1.0.97
  • IBM Tivoli Storage Productivity Center 4.1.1.105
  • IBM Tivoli Storage Productivity Center 4.1.1.106
  • IBM Tivoli Storage Productivity Center 4.1.1.115
  • IBM Tivoli Storage Productivity Center 4.1.1.126
  • IBM Tivoli Storage Productivity Center 4.1.1.55
  • IBM Tivoli Storage Productivity Center 4.1.1.66
  • IBM Tivoli Storage Productivity Center 4.1.1.74
  • IBM Tivoli Storage Productivity Center 4.1.1.84
  • IBM Tivoli Storage Productivity Center 4.1.1.85
  • IBM Tivoli Storage Productivity Center 4.1.1.95
  • IBM Tivoli Storage Productivity Center 4.2.0.151
  • IBM Tivoli Storage Productivity Center 4.2.1.152
  • IBM Tivoli Storage Productivity Center 4.2.1.155
  • IBM Tivoli Storage Productivity Center 4.2.1.163
  • IBM Tivoli Storage Productivity Center 4.2.1.174
  • IBM Tivoli Storage Productivity Center 4.2.1.185
  • IBM Tivoli Storage Productivity Center 4.2.1.188
  • IBM Tivoli Storage Productivity Center 4.2.1.191
  • IBM Tivoli Storage Productivity Center 4.2.2.119
  • IBM Tivoli Storage Productivity Center 4.2.2.143
  • IBM Tivoli Storage Productivity Center 4.2.2.145
  • IBM Tivoli Storage Productivity Center 4.2.2.78
  • IBM Tivoli Storage Productivity Center 4.2.2.95
  • IBM Tivoli Storage Productivity Center 5.1.0 Standard
  • IBM WebSphere Appliance Management Center 4.0
  • IBM WebSphere MQ 7.0
  • IBM WebSphere MQ 7.0.0.1
  • IBM WebSphere MQ 7.0.0.2
  • IBM WebSphere MQ 7.0.1
  • IBM WebSphere MQ 7.0.1.1
  • IBM WebSphere MQ 7.0.1.10
  • IBM WebSphere MQ 7.0.1.2
  • IBM WebSphere MQ 7.0.1.3
  • IBM WebSphere MQ 7.0.1.4
  • IBM WebSphere MQ 7.0.1.5
  • IBM WebSphere MQ 7.0.1.6
  • IBM WebSphere MQ 7.0.1.7
  • IBM WebSphere MQ 7.0.1.8
  • IBM WebSphere MQ 7.0.1.9
  • IBM WebSphere MQ 7.0.2
  • IBM WebSphere MQ 7.0.3
  • IBM WebSphere MQ 7.0.4
  • IBM WebSphere MQ 7.0.4.1
  • IBM WebSphere MQ 7.0.4.2
  • IBM WebSphere MQ 7.0.4.3
  • IBM WebSphere MQ 7.1
  • IBM WebSphere MQ 7.1.0.1
  • IBM WebSphere MQ 7.1.0.2
  • IBM WebSphere MQ 7.1.0.3
  • IBM WebSphere MQ 7.5
  • IBM WebSphere MQ 7.5.0.1
  • IBM WebSphere MQ 7.5.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0
  • IBM WebSphere MQ File Transfer Edition 7.0.0.1
  • IBM WebSphere MQ File Transfer Edition 7.0.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0.1
  • IBM WebSphere MQ File Transfer Edition 7.0.1.1
  • IBM WebSphere MQ File Transfer Edition 7.0.1.10
  • IBM WebSphere MQ File Transfer Edition 7.0.1.2
  • IBM WebSphere MQ File Transfer Edition 7.0.1.3
  • IBM WebSphere MQ File Transfer Edition 7.0.1.4
  • IBM WebSphere MQ File Transfer Edition 7.0.1.5
  • IBM WebSphere MQ File Transfer Edition 7.0.1.6
  • IBM WebSphere MQ File Transfer Edition 7.0.1.7
  • IBM WebSphere MQ File Transfer Edition 7.0.1.8
  • IBM WebSphere MQ File Transfer Edition 7.0.1.9
  • IBM WebSphere MQ File Transfer Edition 7.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0.3
  • IBM WebSphere MQ File Transfer Edition 7.0.4
  • IBM WebSphere MQ File Transfer Edition 7.0.4.1
  • IBM WebSphere MQ File Transfer Edition 7.0.4.2
  • IBM WebSphere MQ File Transfer Edition 7.0.4.3
  • IBM WebSphere MQ File Transfer Edition 7.1
  • IBM WebSphere MQ File Transfer Edition 7.1.0.1
  • IBM WebSphere MQ File Transfer Edition 7.1.0.2
  • IBM WebSphere MQ File Transfer Edition 7.1.0.3
  • IBM WebSphere MQ File Transfer Edition 7.5
  • IBM WebSphere MQ File Transfer Edition 7.5.0.1
  • IBM WebSphere MQ File Transfer Edition 7.5.0.2
  • IBM WebSphere Transformation Extender Design Studio
  • IBM WebSphere Transformation Extender for Application Programming
  • IBM WebSphere Transformation Extender for Integration Servers
  • IBM WebSphere Transformation Extender for Luncher Hypervisor
  • IBM WebSphere Transformation Extender with Command Server
  • IBM WebSphere Transformation Extender with Launcher

Reported:

May 30, 2013

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.