製品・ソフトウェアに関する情報

JVN脆弱性詳細

IBM Web Experience Factory におけるクロスサイトスクリプティングの脆弱性

Title	IBM Web Experience Factory におけるクロスサイトスクリプティングの脆弱性
Summary	WebSphere Dashboard Framework (WDF) および Lotus Widget Factory (LWF) で使用される IBM Web Experience Factory (WEF) には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、不特定の WebSphere Portal 設定内の Dojo ビルダーエラーを利用され、その結果アプリケーションによるレスポンスページの不正な構成を引き起こされることで、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 12, 2014, midnight
Registration Date	Nov. 27, 2014, 2:45 p.m.
Last Update	Nov. 27, 2014, 2:45 p.m.

Affected System

IBM

IBM Web Experience Factory 6.1.5 から 8.5.0.1

IBM WebSphere Dashboard Framework

Lotus Widget Factory

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-6196	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6196
National Vulnerability Database (NVD)
2	CVE-2014-6196	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6196

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
IBM Support Document
1	1690018	http://www-01.ibm.com/support/docview.wss?uid=swg21690018

Change Log

No	Changed Details	Date of change
0	[2014年11月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-6196

Summary	Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSphere Portal configuration, leading to improper construction of a response page by an application.
Publication Date	Nov. 26, 2014, 11:59 a.m.
Registration Date	Jan. 26, 2021, 3:16 p.m.
Last Update	Nov. 21, 2024, 11:13 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:ibm:web_experience_factory:6.1.5:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.2:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.3:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.4:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.2:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.3:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.5:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.5.0.1:::::::*
execution environment
1	cpe:2.3:a:ibm:lotus_widget_factory:-:::::::*
2	cpe:2.3:a:ibm:websphere_dashboard_framework:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://secunia.com/advisories/59546
2	http://secunia.com/advisories/59546
3	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82672
4	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82672
5	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82673
6	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82673
7	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82674
8	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82674
9	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82675
10	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82675
11	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82676
12	http://www-01.ibm.com/support/docview.wss?uid=swg1LO82676
13	http://www-01.ibm.com/support/docview.wss?uid=swg21690018	Vendor Advisory
14	http://www-01.ibm.com/support/docview.wss?uid=swg21690018	Vendor Advisory
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/98608
16	https://exchange.xforce.ibmcloud.com/vulnerabilities/98608

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:ibm:web_experience_factory:6.1.5:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.2:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.3:::::::*
cpe:2.3:a:ibm:web_experience_factory:7.0.1.4:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.1:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.2:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.0.0.3:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.5:::::::*
cpe:2.3:a:ibm:web_experience_factory:8.5.0.1:::::::*
execution environment
1	cpe:2.3:a:ibm:lotus_widget_factory:-:::::::*
2	cpe:2.3:a:ibm:websphere_dashboard_framework:-:::::::*