Vulnerability type: Cross-site Scripting & Redirect
Product: IBM Watson Cloud Computing SaaS (Cognea)
Credit: Jerold Hoong
The logout.jsp page function of the IBM Watson (Cognea) SaaS application is
vulnerable to reflected XSS and redirect attacks. The value of the Referer
HTTP header is directly referenced by the logout.jsp page and echoes the input
unmodified in to the applicationโs response.
PROOF OF CONCEPT (XSS)
PROOF OF CONCEPT (Redirect)
The logout.jsp page is vulnerable to unauthorised redirects.
TIMELINE
- 16/04/2015: Vulnerability found
- 17/04/2015: Vendor informed
- 08/04/2015: Vendor responded and acknowledged
- 03/06/2015: Vendor fixed the issue
- 04/06/2015: Public disclosure