CVE-2010-4120

Name of the Vulnerable Software and Affected Versions IBM Tivoli Access Manager for e-business version 6.1.0 before 6.1.0-TIV-TAM-FP0006

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters, including parm1 to ivt/ivtserver, and the method parameter to various endpoints such as acl, domain, group, gso, gsogroup, os, pop, rule, user, or webseal in ibm/wpm/.

Recommendations For IBM Tivoli Access Manager for e-business version 6.1.0 before 6.1.0-TIV-TAM-FP0006, update to 6.1.0-TIV-TAM-FP0006 or later to resolve the issue. As a temporary workaround, consider restricting access to the ivt/ivtserver and ibm/wpm/ endpoints to minimize the risk of exploitation. Avoid using the parm1 parameter to ivt/ivtserver and the method parameter to the affected endpoints in ibm/wpm/ until the issue is resolved.