Reflected Cross Site Scripting Vulnerability in IBM Worklight Framework
CVE-2017-1500
6.1MEDIUM
Summary
A reflected Cross Site Scripting (XSS) vulnerability is present in the authorization function of the RESTful Web API within IBM Worklight Framework. This flaw affects several versions of the product and allows an attacker to manipulate the 'scope' parameter. If an unrecognized 'realm' value is used, the system responds with an HTTP 403 Forbidden status, reflecting the malicious input in the HTTP response body. An attacker could craft a request to execute arbitrary JavaScript code, potentially allowing them to alter the authorization flow and gain access to sensitive information, including user credentials, within a trusted session.
Affected Version(s)
Worklight 6.1
Worklight 6.2
Worklight 6.3
References
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved