Vulnerability CVE-2017-1739
Published: 2018-01-11

Description:
IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134921.

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: IBM
Product: Curam social program management 
Version:
7.0.1.1
7.0.1.0
7.0.0.2
7.0.0.1
7.0.0.0
6.2.0.6
6.2.0.5
6.2.0.4
6.2.0.3
6.2.0.2
6.2.0.1
6.2.0.0
6.1.1.6
6.1.1.5
6.1.1.4
6.1.1.3
6.1.1.2
6.1.1.1
6.1.1.0
6.1.0.5
6.1.0.4
6.1.0.3
6.1.0.2
6.1.0.1
6.1.0.0
6.0.5.9
6.0.5.8
6.0.5.7
6.0.5.6
6.0.5.5
6.0.5.4
6.0.5.3
6.0.5.2
6.0.5.10
6.0.5.1
6.0.5.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.ibm.com/support/docview.wss?uid=swg22012366
http://www.securityfocus.com/bid/102492
https://exchange.xforce.ibmcloud.com/vulnerabilities/134921

Related CVE
CVE-2019-4465
 IBM Cloud Pak System 2.3 and 2.3.0.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 163774.
CVE-2019-4406
 IBM Spectrum Protect Backup-Archive Client 7.1 and 8.1 may be vulnerable to a denial of service attack due to a timing issue between client and server TCP/IP communications. IBM X-Force ID: 162477.
CVE-2018-2025
 IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments 7.1 and 8.1 creates directories/files in the CIT sub directory that are read/writable by everyone. IBM X-Force ID: 155551.
CVE-2019-4214
 IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 159185.
CVE-2019-4215
 IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's cl...
CVE-2019-4530
 IBM Maximo Asset Management 7.6, 7.6.1, and 7.6.1.1 could allow an authenticated user to delete a record that they should not normally be able to. IBM X-Force ID: 165586.
CVE-2019-4561
 IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this v...
CVE-2019-4216
 IBM SmartCloud Analytics 1.3.1 through 1.3.5 is vulnerable to possible host header injection attack that could lead to HTTP cache poisoning or firewall bypass. IBM X-Force ID: 159187.
Copyright 2019, cxsecurity.com

 

Back to Top