CVE-2022-36776 IBM Cloud Pak for Security (CP4S) 1.10.0.0 79and 1.10.2.0 is vulnerable to cross-site scripting

The cross-site scripting flaw occurs when the login form does not properly sanitize user-supplied input before using it in the HTML form. If a user is able to bypass the input validation and is authenticated within a trusted session, a remote attacker could exploit this to execute arbitrary script code in the user’s browser via a maliciously crafted request. Cisco Spark was found to be insecurely processing XML external entity declarations in certain circumstances. An attacker could exploit this to perform a reflected cross-site scripting (XSS) attack against a victim’s end-user. Cisco Spark 1.4.4.1 is vulnerable to a reflected cross-site scripting vulnerability. This could allow an attacker to craft a malicious website that would be processed by Cisco Spark and then injected into legitimate websites. Cisco Spark is a collaboration software that allows remote users to view, edit, and comment on documents within a company intranet.

Cisco Spark Vulnerability

CVE-2022-36776 is a cross-site scripting flaw in Cisco Spark. This flaw occurs when the login form does not properly sanitize user-supplied input before using it in the HTML form. If a user is able to bypass the input validation and is authenticated within a trusted session, a remote attacker could exploit this to execute arbitrary script code in the browser of the victim via a maliciously crafted request. In particular, Cisco Spark 1.4.4.1 was found to be vulnerable to this issue for XML external entity declarations that were processed incorrectly by certain circumstances. An attacker could exploit this issue to perform a reflected XSS attack against a victim’s end-user and inject malicious content into legitimate websites that are processed by Cisco Spark 1.4.4.1 and then injected into legitimate websites or web applications that allow comments on documents within intranets and company webspaces, such as SharePoint 2007, SharePoint 2010, and Microsoft Office 365 Enterprise Edition (Exchange Online).

Vulnerable Versions

CVE-2022-36776 Cisco Spark 1.4.4.1

Cisco Spark Software Description

Cisco Spark is a collaboration software that allows remote users to view, edit, and comment on documents within a company intranet. Cisco Spark 1.4.4.1 is vulnerable to a reflected cross-site scripting vulnerability. This could allow an attacker to craft a malicious website that would be processed by Cisco Spark and then injected into legitimate websites.

Cisco Spark Vulnerabilities

Cisco Spark vulnerabilities are caused by poor input validation, the process of validating user-supplied data before using it in an application. This vulnerability can allow a potential attacker to exploit a security weakness in Cisco Spark to conduct malicious actions on the user’s browser. These actions might include cross-site scripting as well as command execution.

Timeline

Published on: 11/11/2022 19:15:00 UTC
Last modified on: 11/15/2022 20:51:00 UTC

References

• https://exchange.xforce.ibmcloud.com/vulnerabilities/233663
• https://www.ibm.com/support/pages/node/6833574
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36776