Main Vulnerability Database Vulnerabilities #VU16636

Cross-site request forgery in IBM DataPower Gateway - CVE-2018-1661

Published: December 20, 2018

Vulnerability identifier: #VU16636

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-1661

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
IBM DataPower Gateway

Detailed vulnerability description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially specially crafted web page and execute malicious and unauthorized actions transmitted from a user that the website trusts.

How to mitigate CVE-2018-1661

Install update from vendor's website:

IBM DataPower Gateway	7.6.0.10	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.2.17	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.1.17	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.0.18	IT26364	Install the fix pack.

Cross-site request forgery in IBM DataPower Gateway - CVE-2018-1661

Detailed vulnerability description

How to mitigate CVE-2018-1661

Sources

Please verify you're human