ASA-2019-00255 – IBM Planning Analytics: Cross-Site Scripting (XSS) vulnerability in Dojo Toolkit

Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

ASA-2019-00254 – IBM Planning Analytics: OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption

A vulnerability related to the Java SE Embedded JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. Java Secure Socket Extension (JSSE) implementation in OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption as during initial session setup. An attacker could use this to expose sensitive information.

ASA-2019-00253 – IBM Planning Analytics: Cross-Site Scripting (XSS) vulnerability

IBM Planning Analytics is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

ASA-2019-00252 – IBM Planning Analytics: Apache Derby XML External Entity (XXE) information disclosure

Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.

ASA-2019-00251 – IBM Planning Analytics: Bouncy Castle CBC information disclosure

Bouncy Castle could allow a remote attacker to obtain sensitive information, caused by the exposure of timing differences during padding check verification by the CBC ciphersuite of the Transport Layer Security (TLS) implementation. An attacker could exploit this vulnerability using a timing attack to recover the original plaintext and obtain sensitive information.