
CVE-2020-4838: IBM API Connect (Cross Site Scripting)
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 6.4 Medium. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
1.3 Affected Version
IBM API Connect 5.0.0.0 through 5.0.8.10
1.4 Vulnerability Attribution
This vulnerability is reported by IBM Corporation.
1.5 Risk Impact
IBM API Connect® is a complete, modern, intuitive and scalable API platform that lets you create, securely expose, manage and monetize APIs across clouds so that you and your customers can power digital applications and spur innovation. IBM API Connect is also available with other capabilities as an IBM Cloud Pak® solution, which can help you achieve your application modernization goals as part of your journey to cloud. BM API connect is the market leader for global 2000 to migrate or build services in cloud.
Exploiting this vulnerability can lead to exfiltration of sensitive data from servers, via XSS Vulnerability.
No public exploits are available, but it is possible to build one based on the information in the disclosure.
1.6 Virsec Security Platform (VSP) Support:
VSP-Web has capability that can detect all types of XSS attack and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.
Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!