Research & Development
$ #


Stored cross-site scripting

6.4 (Medium)


IBM InfoSphere (Metadata Asset Manager)


Maciej Kaczorowski

IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, thus altering the intended functionality, potentially exposing credentials within a trusted session.

Steps to reproduce:

  1. Go to the module „Metadata Asset Manager” and log in as administrator,
  2. Go to tab: „Administration” -> „Metadata Interchange Servers”,
  3. Click on the „New” button,
  4. In the field „Name” enter payload: <img src=x onerror=alert(document.domain)>,
  5. In the field „Host” enter any string of characters,
  6. Click on the „Save” button,
  7. To make the injected JavaScript code execute:
    • Click on the „Delete” button,
    • Go to the „Import” tab,
    • Click on the „New Import” button and then expand the list next to the field „Metadata interchange server”.
  • 25-01-2020 - Vulnerability reported to the vendor
  • 25-01-2020 - First response from the vendor
  • 18-08-2020 - Vulnerability acknowledged by the vendor
  • 03-09-2020 - Advisory published by IBM
  • 03-09-2020 - Public disclosure
  • 25-11-2021 - The PoC release