CVE-2017-1500

Name of the Vulnerable Software and Affected Versions IBM Worklight Framework versions 6.1 through 8.0

Description A Reflected Cross Site Scripting (XSS) issue exists in the authorization function of the RESTful Web Api. The scope parameter is vulnerable; if its value is set to a "realm" not defined in authenticationConfig.xml, it will be reflected in the HTTP response body. This allows for the injection of arbitrary JavaScript code, potentially modifying the authorization flow and leading to credential disclosure within a trusted session.

Recommendations For IBM Worklight Framework versions 6.1 through 8.0, as a temporary workaround, consider restricting the use of the scope parameter in the authorization function until a patch is available. Avoid setting the scope parameter to arbitrary values, especially those that could be interpreted as JavaScript code, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.