Multiple vulnerabilities in IBM Security Access Manager

Published: 2018-01-12 13:11:50 | Updated: 2018-01-12 14:06:16
Severity Low
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2017-1533
CVE-2017-1534
CVE-2017-1459
CVE-2017-1478
CVSSv3 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
2.9 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-79
CWE-601
CWE-264
CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software Security Access Manager
Vulnerable software versions Security Access Manager 9.0.3.1
Security Access Manager 9.0.4
Security Access Manager 8.0.1.6
Show more
Vendor URL IBM Corporation

Security Advisory

1) Cross-site scripting

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22012327

2) Open redirect

Description

The vulnerability allows a remote attacker to redirect the target user to external websites.

The vulnerability exists due to insufficient sanitization of untrusted input data when performing redirects to external websites. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22008936

3) Security restrictions bypass

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to permissions error. A remote attacker can bypass security restrictions to access and modify a security-critical resource.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22012331

4) Information disclosure

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The weakness exists due to unspecified error. A local attacker can obtain potentially sensitive information from web pages stored locally on the target system.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22012323

Back to List