Header injection in HTTP responses can allow for HTTP response splitting, Session fixation via the Set-Cookie header, cross-site scripting (XSS), and malicious redirects attacks via the location header in Maximo Asset Mgmt, and SmartCloud Control Desk.
Affected product(s) and affected version(s):
1. Maximo Asset Management 7.5
2. Maximo Asset Management Essentials 7.5
3. Maximo for Government 7.5
4. Maximo for Nuclear Power 7.5
5. Maximo for Transportation 7.5
6. Maximo for Life Sciences 7.5
7. Maximo for Oil and Gas 7.5
8. Maximo for Utilities 7.5
9. SmartCloud Control Desk 7.5
It is likely that earlier versions of affected products are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21678798
X-Force Database: http://xforce.iss.net/xforce/xfdb/93065