Reflected Cross Site Scripting Vulnerability in IBM Worklight Framework
CVE-2017-1500

6.1MEDIUM

Key Information:

Vendor: IBM
Status: Worklight
Vendor: CVE Published:; 1 August 2017

Summary

A reflected Cross Site Scripting (XSS) vulnerability is present in the authorization function of the RESTful Web API within IBM Worklight Framework. This flaw affects several versions of the product and allows an attacker to manipulate the 'scope' parameter. If an unrecognized 'realm' value is used, the system responds with an HTTP 403 Forbidden status, reflecting the malicious input in the HTTP response body. An attacker could craft a request to execute arbitrary JavaScript code, potentially allowing them to alter the authorization flow and gain access to sensitive information, including user credentials, within a trusted session.

Affected Version(s)

Worklight 6.1

Worklight 6.2

Worklight 6.3

References

http://www-01.ibm.com/support/docview.wss?uid=swg2C1000316

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/129404

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 1, 2017
Vulnerability Reserved
Nov 30, 2016