http://www-01.ibm.com/support/docview.wss?uid=swg2C1000316

https://exchange.xforce.ibmcloud.com/vulnerabilities/129404

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CWE-79

OR
     *cpe:2.3:a:ibm:mobilefirst_platform_foundation:6.3.0.0:*:*:*:*:*:*:*
     *cpe:2.3:a:ibm:mobilefirst_platform_foundation:7.0.0.0:*:*:*:*:*:*:*
     *cpe:2.3:a:ibm:mobilefirst_platform_foundation:7.1.0.0:*:*:*:*:*:*:*
     *cpe:2.3:a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*

OR
     *cpe:2.3:a:ibm:worklight:6.1.0.2:*:*:*:enterprise:*:*:*
     *cpe:2.3:a:ibm:worklight:6.2.0.1:*:*:*:enterprise:*:*:*

http://www-01.ibm.com/support/docview.wss?uid=swg2C1000316 No Types Assigned

http://www-01.ibm.com/support/docview.wss?uid=swg2C1000316 Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/129404 No Types Assigned

https://exchange.xforce.ibmcloud.com/vulnerabilities/129404 VDB Entry, Vendor Advisory

IBM Worklight 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

A Reflected Cross Site Scripting (XSS) vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parameter is "scope"; if you set as its value a "realm" not defined in authenticationConfig.xml, you get an HTTP 403 Forbidden response and the value will be reflected in the body of the HTTP response. By setting it to arbitrary JavaScript code it is possible to modify the flow of the authorization function, potentially leading to credential disclosure within a trusted session.