Reflected XSS in Worklight and MobileFirst Patched by IBM
A security consultant for Emaze Networks, Gabriele Gristina, discovered the vulnerability on August 29,2016 and it is a reflected XSS in the products OAuth Server’s Web API.
MobileFirst is a mobile application development platform that allows developers to build apps, how they look on different devices and how push notifications from apps are sent to the device.
The issue in the product was the framework did not validate the untrusted input from the GET parameter in the authorization function of the RESTful web API. The vulnerability could be easily exploited whereby an attacker just needs to append a payload to the original value present in the GET parameter “scope”.
IBM has released patches for the two products after the discovery of the exploitable vulnerability that would its customers data.