Cybersecurity specialists reported the detection of multiple vulnerabilities in IBM Security QRadar SOAR. According to the report, successful exploitation of these flaws would allow the deployment of severe attack scenarios.
Below are brief descriptions of the reported flaws, in addition to their tracking keys and scorings assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-41182: The insufficient sanitization of values passed as the `altField` option of the Datepicker widget would allow remote attackers to inject and run arbitrary JavaScript code in affected users’ browsers.
This is a medium severity flaw and received a CVSS score of 5.3/10.
CVE-2021-41183: The insufficient sanitization of user-supplied data when processing values of various `*Text` options would allow remote attackers to pass specially crafted inputs to the library, thus running arbitrary JavaScript code in affected users’ browsers.
The flaw received a 5.3/10 CVSS score.
CVE-2021-41184: Insufficient sanitization of values passed to the `of` option would allow remote attackers to execute arbitrary JavaScript code in affected users’ browsers.
This is a medium severity flaw and received a CVSS score of 5.3/10.
Even though these vulnerabilities can be exploited by remote non-authenticated attackers via the Internet, there are no active exploitation reports related to the flaws described herein. Nonetheless, information security specialists recommend updating as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.