SB2024060322 - Multiple vulnerabilities in IBM Edge Application Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024060322

SB2024060322 - Multiple vulnerabilities in IBM Edge Application Manager

Published: June 3, 2024

Security Bulletin ID SB2024060322
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Open redirect (CVE-ID: CVE-2024-29041)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in malformed URLs. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


2) Prototype pollution (CVE-ID: CVE-2024-27307)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to malicious expression can use the transform operator to override properties on the `Object` constructor and prototype.. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.


Remediation

Install update from vendor's website.

References