Severity
Medium
Analysis Summary
CVE-2023-43051 CVSS:5.4
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2023-38359 CVSS:6.1
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2023-32344 CVSS:4.3
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to form action hijacking where it is possible to modify the form action to reference an arbitrary path.
CVE-2023-30996 CVSS:5.3
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be vulnerable to information leakage due to unverified sources in messages sent between Windows objects of different origins.
CVE-2022-34357 CVSS:6.5
IBM Cognos Analytics Mobile Server 11.1.7, 11.2.4, and 12.0.0 is vulnerable to Denial of Service due to due to weak or absence of rate limiting. By making unlimited http requests, it is possible for a single user to exhaust server resources over a period of time making service unavailable for other legitimate users.
Impact
- Denial of Service
- Gain Access
- Information Gain
- Cross-Site Scripting
Indicators Of Compromise
CVE
- CVE-2023-43051
- CVE-2023-38359
- CVE-2023-32344
- CVE-2023-30996
- CVE-2022-34357
Affected Vendors
IBM
Affected Products
- IBM Cognos Analytics 11.1.7
- IBM Cognos Analytics 11.2.4
- IBM Cognos Analytics 12.0.0
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.