CVE-2016-9000 - OpenCVE

IBM InfoSphere DataStage is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Infosphere Datastage Infosphere Information Server On Cloud

Configuration 1 [-]

OR	cpe:2.3:a:ibm:infosphere_datastage:8.7:::::::*
	cpe:2.3:a:ibm:infosphere_datastage:9.1:::::::*
	cpe:2.3:a:ibm:infosphere_datastage:11.3:::::::*
	cpe:2.3:a:ibm:infosphere_datastage:11.5:::::::*
	cpe:2.3:a:ibm:infosphere_information_server_on_cloud:11.5:::::::*

No data.

References

Link	Providers
http://www.ibm.com/support/docview.wss?uid=swg21995257
http://www.securityfocus.com/bid/95324
http://www.securitytracker.com/id/1037564

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2017-02-01T22:00:00

Updated: 2024-08-06T02:35:02.577Z

Reserved: 2016-10-25T00:00:00

Link: CVE-2016-9000

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-02-01T22:59:01.133

Modified: 2017-07-27T01:29:06.430

Link: CVE-2016-9000

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "InfoSphere Information Server", "vendor": "IBM Corporation", "versions": [{"status": "affected", "version": "8.1"}, {"status": "affected", "version": "8.5"}, {"status": "affected", "version": "8.0"}, {"status": "affected", "version": "8.5.0.1"}, {"status": "affected", "version": "8.7"}, {"status": "affected", "version": "9.1"}, {"status": "affected", "version": "8.0.1"}, {"status": "affected", "version": "10.0"}, {"status": "affected", "version": "11.3"}, {"status": "affected", "version": "10"}, {"status": "affected", "version": "11.3.0.0"}, {"status": "affected", "version": "11.3.1.0"}, {"status": "affected", "version": "11.5"}]}], "datePublic": "2017-01-06T00:00:00", "descriptions": [{"lang": "en", "value": "IBM InfoSphere DataStage is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-26T09:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "1037564", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037564"}, {"name": "95324", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95324"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21995257"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2016-9000", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "InfoSphere Information Server", "version": {"version_data": [{"version_value": "8.1"}, {"version_value": "8.5"}, {"version_value": "8.0"}, {"version_value": "8.5.0.1"}, {"version_value": "8.7"}, {"version_value": "9.1"}, {"version_value": "8.0.1"}, {"version_value": "10.0"}, {"version_value": "11.3"}, {"version_value": "10"}, {"version_value": "11.3.0.0"}, {"version_value": "11.3.1.0"}, {"version_value": "11.5"}]}}]}, "vendor_name": "IBM Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM InfoSphere DataStage is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "references": {"reference_data": [{"name": "1037564", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037564"}, {"name": "95324", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95324"}, {"name": "http://www.ibm.com/support/docview.wss?uid=swg21995257", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg21995257"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:35:02.577Z"}, "title": "CVE Program Container", "references": [{"name": "1037564", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037564"}, {"name": "95324", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95324"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21995257"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2016-9000", "datePublished": "2017-02-01T22:00:00", "dateReserved": "2016-10-25T00:00:00", "dateUpdated": "2024-08-06T02:35:02.577Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:infosphere_datastage:8.7:*:*:*:*:*:*:*", "matchCriteriaId": "2CB1760D-FED4-4430-9CFB-83608956E424", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:infosphere_datastage:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "6EADE407-3A84-49ED-B818-63B42EE47EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:infosphere_datastage:11.3:*:*:*:*:*:*:*", "matchCriteriaId": "BEE407E4-910C-4AF1-B87B-F9B01759DDFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:infosphere_datastage:11.5:*:*:*:*:*:*:*", "matchCriteriaId": "0025F291-9862-4638-B96D-1ABEC3C31890", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:infosphere_information_server_on_cloud:11.5:*:*:*:*:*:*:*", "matchCriteriaId": "88A5CF53-1A0C-4519-90A7-DFF6629820B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM InfoSphere DataStage is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks."}, {"lang": "es", "value": "IBM InfoSphere DataStage es vulnerable a las secuencias de comandos de trama cruzada, provocadas por la insuficiente protecci\u00f3n HTML de iframe. Un atacante remoto podr\u00eda explotar esta vulnerabilidad utilizando una URL manipulada para navegar a una p\u00e1gina web que controla el atacante. Un atacante podr\u00eda usar esta vulnerabilidad para realizar ataques de clickjacking u otros ataques del navegador del lado del cliente."}], "id": "CVE-2016-9000", "lastModified": "2017-07-27T01:29:06.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-01T22:59:01.133", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21995257"}, {"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95324"}, {"source": "psirt@us.ibm.com", "url": "http://www.securitytracker.com/id/1037564"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}