CVE-2021-38895: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 is vulnerable to cross-site scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session. The vulnerability was disclosed on January 10, 2022 (IBM Support).

The vulnerability has been assigned CVE-2021-38895 with a CVSS Base score of 3.0. The CVSS Vector is (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N), indicating that it requires network access, high attack complexity, low privileges, and user interaction. The vulnerability specifically affects the web interface of IBM Security Verify (IBM Support).

The vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI, which could potentially lead to credentials disclosure within a trusted session. The impact is considered relatively low due to the high attack complexity and requirement for user interaction (IBM Support).

IBM has released fixes for the affected versions. For IBM Security Verify Access 10.0.0.0, users should upgrade to version 10.0.3-ISS-ISVA-FP0000. For container deployments, users should obtain the latest version of the container by running the command 'docker pull ibmcom/verify-access:[tag]' where [tag] is the latest published version (IBM Support).