Secunia Research has discovered some vulnerabilities in IBM Tivoli Storage Manager Client, which can be exploited by malicious people to conduct script insertion attacks. Certain input passed in HTTP requests to the CAD service is not properly sanitized before being logged. This can be exploited to insert arbitrary HTML and script code into dsmerror.log, which is executed in a user's browser session in context of the affected site when e.g. viewing the log file via the web-based interface using the "FILE" functionality of the CAD service.
277de8c11d9582d8e9b98a606bb24ac192a34dc0c97ab2267b159f9843c34e82