Vigil@nce - IBM SPSS Statistics: Cross Site Scripting of workingSet.jsp
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a Cross Site Scripting in workingSet.jsp
of IBM SPSS Statistics, in order to execute JavaScript code in the
context of the web site.
Impacted products: SPSS Statistics
Severity: 2/4
Creation date: 06/01/2014
DESCRIPTION OF THE VULNERABILITY
The IBM SPSS Statistics product offers a web service.
However, the workingSet.jsp page does not filter received data in
the "operation" parameter before inserting them in generated HTML
documents.
An attacker can therefore trigger a Cross Site Scripting in
workingSet.jsp of IBM SPSS Statistics, in order to execute
JavaScript code in the context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-SPSS-Statistics-Cross-Site-Scripting-of-workingSet-jsp-14018