IBM Verify Identity Access and IBM Security Verify Access Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. The vulnerability arises because certificate listings retrieved via a browser session return a JSON payload while incorrectly specifying the response Content-Type as text/html. This misconfiguration can lead browsers to interpret the JSON data as executable script under certain conditions, creating an opportunity for JavaScript injection and potentially allowing for cross-site scripting attacks.

Impact

Exploitation of this vulnerability could lead to cross-site scripting, allowing an attacker to inject malicious scripts that could be executed in the context of the user's browser.

Remediation

Users are encouraged to update to IBM Verify Identity Access v11.0.2 IF1 or IBM Security Verify Access v10.0.9.1 IF1. For container users, the latest version can be downloaded from the IBM Security Verify Access documentation site.