## Summary
Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory.
## Vulnerability Details
** CVEID: **[CVE-2016-3012]()
** DESCRIPTION: **IBM API Connect server credentials used for a specific restricted scenario may have been exposed in the toolkit.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114275]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
** CVEID: **[CVE-2018-1838]()
** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/150811]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
** CVEID: **[CVE-2015-5041]()
** DESCRIPTION: **A flaw in the IBM J9 JVM allows code to invoke non-public interface methods under these circumstances. Untrusted code could potentially exploit this. This could lead to sensitive data being exposed to an attacker, or the attacker being able to inject bad data.
CVSS Base score: 4.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106719]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
** CVEID: **[CVE-2020-11022]()
** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
** CVEID: **[CVE-2012-6708]()
** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
** CVEID: **[CVE-2019-11358]()
** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
** CVEID: **[CVE-2015-9251]()
** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
** CVEID: **[CVE-2020-11023]()
** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
## Affected Products and Versions
Affected Product(s)| Version(s)
—|—
IBM Security Directory Server| 6.4.0
IBM Security Directory Suite VA| 8.0.1
IBM Security Verify Directory| 10.0.0
## Remediation/Fixes
**IBM strongly recommends that customers update their products at the earliest convenience.**
IBM Security Verify Directory Container:
docker pull icr.io/isvd/verify-directory-server:10.0.0.0 latest
docker pull icr.io/isvd/verify-directory-proxy:10.0.0.0 latest
docker pull icr.io/isvd/verify-directory-seed:10.0.0.0 latest
Affected Products and Versions| Fix Availability
—|—
IBM Security Directory Server 6.4.0| [interim fix: 6.4.0.27-ISS-ISDS-IF0027]()
IBM Security Directory Suite VA 8.0.1| [8.0.1.19-ISS-ISDS_20230118-0304]()
## Workarounds and Mitigations
None