关键漏洞信息 Summary CVE IDs: CVE-2016-2924, CVE-2016-2992 Affected Product: IBM InfoSphere BigInsights Web console Vulnerability Type: Cross-site scripting (XSS) Vulnerability Details CVE-2016-2924 Description: Improper validation of user-supplied input allows remote attackers to execute script in a victim's Web browser. CVSS Base Score: 5.4 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Mitigation: Apply latest DataServer Manager DSM v2.1.2 for BigInsights 4.2. CVE-2016-2992 Description: Allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure. CVSS Base Score: 5.4 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Mitigation: Apply latest DataServer Manager DSM v2.1.2 for BigInsights 4.2. Affected Products and Versions IBM BigInsights 4.2 Remediation/Fixes Apply latest DataServer Manager (DSM) v2.1.2 for BigInsights 4.2 using the appropriate RPM for the required Operating System. References Complete CVSS v2 Guide On-line Calculator v2 Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement Vulnerability discovered by Fortinet's FortiGuard Labs Change History 23 January 2017: Original Version Published Disclaimer Review the IBM security bulletin disclaimer and definitions regarding responsibilities for assessing potential impact.