IBM Cognos Analytics Vulnerability Advisory: XXE, DoS, Privilege Escalation (CVE-2020-4377, CVE-2019-0205)

Critical Vulnerability Information Vulnerability Overview Product: IBM Cognos Analytics Affected Versions: 11.1, 11.0 Vulnerability Details CVE-2010-5312 - Description: Cross-site scripting (XSS) vulnerability in jQuery UI, caused by improper validation of user input - CVSS Base Score: 4.3 CVE-2019-0205 - Description: Denial of service vulnerability in Apache Thrift, caused by improper handling of untrusted Thrift payloads - CVSS Base Score: 7.5 CVE-2019-0210 - Description: Denial of service vulnerability in Apache Thrift, caused by out-of-bounds read when using TJSONProtocol or TSimpleJSONProtocol in Go - CVSS Base Score: 7.5 CVE-2020-4377 - Description: XML External Entity (XXE) injection vulnerability in IBM Cognos Analytics, occurring during XML data processing - CVSS Base Score: 8.2 CVE-2016-7103 - Description: Cross-site scripting (XSS) vulnerability in jQuery UI, caused by improper validation of user input in dialog functions - CVSS Base Score: 6.1 CVE-2019-4589 - Description: Privilege escalation vulnerability in IBM Cognos Analytics, where the "My Plans and Subscriptions" page is visible and accessible to users with lower privileges - CVSS Base Score: 4.6 CVE-2019-4366 - Description: Information disclosure vulnerability in IBM Cognos Analytics, allowing attackers to access cached browser data - CVSS Base Score: 2.9 Affected Products and Versions IBM Cognos Analytics 11.1 IBM Cognos Analytics 11.0 (versions prior to 11.0.13 FP2) Remediation Measures IBM Cognos Analytics 11.1.x: Install the available fix pack for affected versions as soon as possible - Download IBM Cognos Analytics 11.1.7.0 IBM Cognos Analytics 11.0.x: Only CVE-2016-7103 affects this version, and only for versions prior to IBM Cognos Analytics 11.0.13 FP2. It is recommended to upgrade to the latest available version of IBM Cognos Analytics 11.0.x - IBM Cognos Analytics 11.0.13 Fix Pack 3

Goal Reached Thanks to every supporter — we hit 100%!

IBM Cognos Analytics Vulnerability Advisory: XXE, DoS, Privilege Escalation (CVE-2020-4377, CVE-2019-0205)