CVE-2014-3025

Name of the Vulnerable Software and Affected Versions IBM Maximo Asset Management versions 6.2 through 6.2.8 IBM Maximo Asset Management versions 7.1 through 7.1.1.2 IBM Maximo Asset Management versions 7.5 through 7.5.0.6 IBM Maximo Asset Management for SmartCloud Control Desk versions 7.5 through 7.5.0.3 IBM Maximo Asset Management for SmartCloud Control Desk versions 7.5.1 through 7.5.1.2 IBM Tivoli Asset Management for IT versions 6.2 through 6.2.8 IBM Tivoli Asset Management for IT versions 7.1 through 7.1.1.2 IBM Tivoli Asset Management for IT version 7.2

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via unspecified input to a .jsp file under the "webclient/utility/" directory. This can lead to cross-site scripting (XSS) attacks.

Recommendations For IBM Maximo Asset Management versions 6.2 through 6.2.8, update to a version outside of this range. For IBM Maximo Asset Management versions 7.1 through 7.1.1.2, update to a version outside of this range. For IBM Maximo Asset Management versions 7.5 through 7.5.0.6, update to a version outside of this range. For IBM Maximo Asset Management for SmartCloud Control Desk versions 7.5 through 7.5.0.3, update to a version outside of this range. For IBM Maximo Asset Management for SmartCloud Control Desk versions 7.5.1 through 7.5.1.2, update to a version outside of this range. For IBM Tivoli Asset Management for IT versions 6.2 through 6.2.8, update to a version outside of this range. For IBM Tivoli Asset Management for IT versions 7.1 through 7.1.1.2, update to a version outside of this range. For IBM Tivoli Asset Management for IT version 7.2, update to a version outside of this range. As a temporary workaround, consider restricting access to the "webclient/utility/" directory to minimize the risk of exploitation.