IBM Tivoli Access Manager for e-business contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'method' parameter upon submission to the ibm/wpm/domain script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

• Security Tracker: 1024633
• CVE ID: 2010-4120 (see also: NVD)
• Secunia Advisory ID: 41974
• Bugtraq ID: 44382
• ISS X-Force ID: 62750
• Related OSVDB ID: 68884 68885 68887 68888 68889 68890 68891 68892 68893 68894
• VUPEN Advisory: ADV-2010-2774
• Vendor Specific News/Changelog Entry: http://www.ibm.com/support/docview.wss?uid=swg1IZ84918

• Not Available