Reflected XSS in Worklight and MobileFirst Patched by IBM
August 6, 2017
Shah Sheikh (1294 articles)

Reflected XSS in Worklight and MobileFirst Patched by IBM

A cross-scripting vulnerability was discovered last year in two of IBM products, Worklight and MobileFirst. The vulnerability was recently fixed by IBM that could allow attackers to execute malicious JavaScript code in a victims’ browser to steal sensitive data.

A security consultant for Emaze Networks, Gabriele Gristina, discovered the vulnerability on August 29,2016 and it is a reflected XSS in the products OAuth Server’s Web API.

MobileFirst is a mobile application development platform that allows developers to build apps, how they look on different devices and how push notifications from apps are sent to the device.

The issue in the product was the framework did not validate the untrusted input from the GET parameter in the authorization function of the RESTful web API. The vulnerability could be easily exploited whereby an attacker just needs to append a payload to the original value present in the GET parameter “scope”.

IBM has released patches for the two products after the discovery of the exploitable vulnerability that would its customers data.

Source: threatpost