CVE-2014-0825

Name of the Vulnerable Software and Affected Versions IBM Maximo Asset Management versions 7.x before 7.1.1.12 IFIX.20140321-1336 IBM Maximo Asset Management versions 7.5.x before 7.5.0.5 IFIX006 SmartCloud Control Desk versions 7.x before 7.5.0.3 SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2 Tivoli IT Asset Management for IT versions 7.x before 7.1.1.12 IFIX.20140218-1510 Tivoli Service Request Manager versions 7.x before 7.1.1.12 IFIX.20140218-1510 Maximo Service Desk versions 7.x before 7.1.1.12 IFIX.20140218-1510 Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.12 IFIX.20140218-1510

Description A cross-site scripting (XSS) issue exists in openreport.jsp, allowing remote authenticated users to inject arbitrary web script or HTML via a crafted report parameter. This can be exploited by injecting malicious code into the report parameter.

Recommendations For IBM Maximo Asset Management versions 7.x before 7.1.1.12 IFIX.20140321-1336, update to version 7.1.1.12 IFIX.20140321-1336 or later. For IBM Maximo Asset Management versions 7.5.x before 7.5.0.5 IFIX006, update to version 7.5.0.5 IFIX006 or later. For SmartCloud Control Desk versions 7.x before 7.5.0.3, update to version 7.5.0.3 or later. For SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2, update to version 7.5.1.2 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.12 IFIX.20140218-1510, update to version 7.1.1.12 IFIX.20140218-1510 or later. As a temporary workaround, consider restricting access to the openreport.jsp page until a patch is available. Avoid using crafted report parameters in the affected API endpoint until the issue is resolved.