CVE-2022-34358: 
NixOS vulnerability analysis and mitigation

IBM i versions 7.2, 7.3, 7.4, and 7.5 were found to be vulnerable to cross-site scripting (CVE-2022-34358) in the Digital Certificate Manager web application. The vulnerability was discovered in July 2022 and allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session (IBM Support).

The vulnerability has a CVSS Base score of 5.4 with vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed with low impact on confidentiality and integrity, but no impact on availability (IBM Support).

The vulnerability allows attackers to embed arbitrary JavaScript code in the Web UI, which could alter the intended functionality and potentially lead to credentials disclosure within a trusted session. This poses a security risk particularly in the context of the Digital Certificate Manager application (IBM Support).

IBM has released PTF fixes for all affected versions (7.2, 7.3, 7.4, and 7.5). Additionally, IBM recommends not using the heritage version of Digital Certificate Manager and instead using the new IBM Digital Certificate Manager for i user interface by accessing http://systemname:2001/dcm. PTFs are also available to disable the heritage version of Digital Certificate Manager for versions 7.3, 7.4, and 7.5 (IBM Support).