CVE-2022-22370: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access versions 10.0.0.0 through 10.0.3.0 was found to contain a cross-site scripting (XSS) vulnerability. The vulnerability was disclosed on July 6, 2022, and assigned identifier CVE-2022-22370. This security flaw affects the Web UI component of the application, potentially exposing sensitive information during authenticated sessions (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed, with low impact on confidentiality and integrity, but no impact on availability (NVD).

The vulnerability allows attackers to embed arbitrary JavaScript code in the Web UI, which can alter the intended functionality of the application. This could potentially lead to credentials disclosure within a trusted session, compromising user security (IBM Advisory).

IBM has released fixes for the affected versions. For ISAM/ISVA appliances version 10.0.0.0, users should upgrade to patch 10.0.4-ISS-ISVA-FP0000. For container deployments (Version 10.0.0.0), users should obtain the latest version of the container by running the command 'docker pull ibmcom/verify-access:[tag]' where [tag] is the latest published version. No workarounds are available for this vulnerability (IBM Advisory).