Reflected Cross Site Scripting Vulnerability in IBM Worklight Framework
CVE-2017-1500

6.1MEDIUM

Key Information:

Vendor
IBM
Status
Vendor
CVE Published:
1 August 2017

Summary

A reflected Cross Site Scripting (XSS) vulnerability is present in the authorization function of the RESTful Web API within IBM Worklight Framework. This flaw affects several versions of the product and allows an attacker to manipulate the 'scope' parameter. If an unrecognized 'realm' value is used, the system responds with an HTTP 403 Forbidden status, reflecting the malicious input in the HTTP response body. An attacker could craft a request to execute arbitrary JavaScript code, potentially allowing them to alter the authorization flow and gain access to sensitive information, including user credentials, within a trusted session.

Affected Version(s)

Worklight 6.1

Worklight 6.2

Worklight 6.3

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.