CVE-2017-1591 IBM MQ Cross Site Scripting (XSS) Vulnerability (swg22009804)




IBM MQ is a message oriented middleware that allows independent and non-concurrent applications on a distributed system to communicate with each other. IBM MQ is vulnerable to Cross Site Scripting (XSS).

Affected Versions:
IBM MQ versions through
IBM MQ Continuous Delivery versions 9.0.1 through 9.0.3

QID Detection Logic: (Authenticated)
Operating Sytem: Linux
The QID runs the command “/opt/mqm/bin/dspmqver -v | grep -A3 ‘^Name'” and “/usr/mqm/bin/dspmqver -v | grep -A3 ‘^Name'” (for AIX only) to see if the system is running a vulnerable version of IBM MQ or not.

Operating System: Windows
The QID checks if the host is running a vulnerable version of IBM MQ by checking version of the file “bin\dspxmsver.exe”. The location of the file is determined via the registry key “HKLM\SOFTWARE\IBM\MQSeries\CurrentVersion” value “FilePath”.


An unauthenticated, remote attacker could exploit this vulnerability to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.


Please refer to IBM advisory SWG22009804 for further information.

Following are links for downloading patches to fix the vulnerabilities:


Leave a Reply