IBM Cognos Analytics and Transformer Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in IBM Cognos Analytics versions 11.2.0, 11.2.4, 12.0, and 12.1.0, as well as in IBM Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. This vulnerability allows remote attackers to inject arbitrary JavaScript into the web user interface, potentially altering functionality and leading to credential disclosure within a trusted session.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user's session, potentially leading to credential theft.

Remediation

Users are advised to upgrade to IBM Cognos Analytics versions 11.2.4 Fix Pack 7, 12.0.4 Fix Pack 2, or 12.1.2. For IBM Cognos Transformer, upgrade to version 12.0, 11.2.4, or 12.1.0.