Severity
Medium
Analysis Summary
CVE-2021-38909
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2021-29867
IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to.
CVE-2021-29756
IBM Cognos Analytics 11.1.7 and 11.2.0 are vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2021-29719
IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client-side vulnerabilities due to a web response specifying an incorrect content type.
CVE-2021-29716
IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low-level user to areas of the application that privileged user should only be allowed to view.
CVE-2021-20493
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2021-20470
IBM Cognos Analytics 11.1.7 and 11.2.0 do not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
Impact
- Cross-Site Scripting
- Privilege Escalation
- Unauthorized Access
- Information Disclosure
Affected Vendors
IBM
Affected Products
- IBM Cognos Analytics 11.2.0
- IBM Cognos Analytics 11.1.7
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.