Overview of Cross-Site Scripting Vulnerabilities in IBM Products CVE-2024-49785 and CVE-2021-29669

 Overview of Cross-Site Scripting Vulnerabilities 

in IBM Products

Cross-site scripting (XSS) vulnerabilities pose significant security risks to web applications, allowing attackers to inject malicious scripts into trusted websites. Two notable vulnerabilities affecting IBM products are CVE-2024-49785 and CVE-2021-29669. Both vulnerabilities enable authenticated users to execute arbitrary JavaScript code within the web user interface, potentially leading to credential disclosures and other malicious activities.

Details of the Vulnerabilities 

CVE-2024-49785 

IBM watsonx.ai versions 1.1 through 2.0.3 and IBM watsonx.ai on Cloud Pak for Data versions 4.8 through 5.0.3 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering its intended functionality and potentially leading to credential disclosure within a trusted session. The Common Vulnerability Scoring System (CVSS) base score for this vulnerability is 5.4, indicating a moderate severity level.

Affected Products

Product	Versions
IBM watsonx.ai	1.1 - 2.0.3
IBM watsonx.ai on Cloud Pak for Data	4.8 - 5.0.3

Remediation

IBM recommends upgrading to:

• IBM watsonx.ai version 2.1.0 or above
• IBM watsonx.ai on Cloud Pak for Data version 5.1.0 or above
  2
  .

CVE-2021-29669

IBM Jazz Foundation versions 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 are also vulnerable to cross-site scripting attacks, similar to the watsonx vulnerability. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, which can alter its functionality and lead to credential disclosures within a trusted session.

Affected Products

Product	Versions
IBM Jazz Foundation	6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation

Users are advised to upgrade their products to at least version 7.0.3 or apply specific patches as necessary.

Sample Scenario

Consider a scenario where an organization uses IBM watsonx.ai for data analysis and decision-making processes:

1. User Authentication: An employee logs into the IBM watsonx.ai application using their credentials.
2. Malicious Script Injection: The employee discovers that they can input JavaScript code into a comment field within the application’s Web UI due to the XSS vulnerability (CVE-2024-49785). They input a script designed to capture session cookies.
3. Execution of Malicious Code: When another user accesses the page with the malicious comment, the script executes in their browser context, capturing sensitive session information.
4. Credentials Disclosure: The attacker now has access to another user's credentials, which can be used for unauthorized access or further exploitation of the system.

This scenario illustrates how XSS vulnerabilities can be exploited in real-world applications, emphasizing the importance of timely remediation and updates.

Conclusion

Both CVE-2024-49785 and CVE-2021-29669 highlight critical vulnerabilities in IBM's software products that could lead to significant security breaches if not addressed promptly. Organizations using affected versions should prioritize upgrading their systems and implementing security best practices to mitigate these risks effectively.By staying informed about such vulnerabilities and applying necessary patches, organizations can protect their sensitive data and maintain the integrity of their web applications.