Vulnerability Details : CVE-2014-8917
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2014-8917
Probability of exploitation activity in the next 30 days: 0.39%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-8917
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-8917
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8917
-
http://www.securityfocus.com/bid/72903
Dojo Toolkit CVE-2014-8917 Multiple Cross Site Scripting Vulnerabilities
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/99303
IBM Dojo Toolkit cross-site scripting CVE-2014-8917 Vulnerability Report
-
http://www-01.ibm.com/support/docview.wss?uid=swg21696013
IBM Security Bulletin: IBM Financial Transaction Manager affected by IBM Dojo Toolkit is vulnerable to cross-site scripting (CVE-2014-8917)Vendor Advisory
-
http://www.securitytracker.com/id/1032376
IBM Domino Buffer Overflows Let Remote Users Execute Arbitrary Code and Input Validation Flaw Permits Cross-Site Scripting Attacks - SecurityTracker
-
http://www-01.ibm.com/support/docview.wss?uid=swg21694693
IBM A Security vulnerability in the IBM Dojo Toolkit affects IBM Social Media Analytics (CVE-2014-8917)Patch;Vendor Advisory
Products affected by CVE-2014-8917
- cpe:2.3:a:ibm:social_media_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:2.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager:3.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager_for_check_services:2.1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:financial_transaction_manager_for_corporate_payment_services:2.1.1.0:*:*:*:*:*:*:*