IBM OpenPages HTML Injection Vulnerability Allowing Script Injection into Email Notifications

A vulnerability allowing HTML injection has been identified in IBM OpenPages with Watson versions 8.3 and 9.0. This issue arises from inadequate validation of user-supplied input in text fields used to create workflow email notifications. A remote authenticated attacker could exploit this vulnerability by injecting HTML tags into a text field, which would then be executed as a script in the recipient's email client, within the context of the OpenPages email message. This could be leveraged for phishing or identity theft purposes.

Impact

Exploitation of this vulnerability could lead to unauthorized script execution in the context of the victim's email client, potentially allowing for phishing attacks or identity theft.

Remediation

Users of IBM OpenPages 9.0 should upgrade to version 9.0 FixPack 5 or later. Users of IBM OpenPages 8.3 should upgrade to version 8.3 FixPack 3, followed by 8.3.03 Interim Fix 1. Instructions for downloading these updates are available on the IBM Support website.