A vulnerability, which was classified as problematic, has been found in IBM B2B Advanced Communications (version now known). This issue affects some unknown processing of the component 10x. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is confidentiality, and integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in IBM 10x, as used in Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B Advanced Communications before 1.0.0.5_2, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

The weakness was released 09/28/2016 as swg21991148 as confirmed advisory (Website). The advisory is shared at www-01.ibm.com. The identification of this vulnerability is CVE-2016-5892 since 06/29/2016. The exploitation is known to be easy. The attack may be initiated remotely. Required for exploitation is a simple authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Applying the patch 1.0.0.5_2_iFix_Media is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Productinfo

Vendor

• IBM

Name

• B2B Advanced Communications

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion