Access control input validation flaw vulnerability in IBM WebSphere Commerce Developer - CVE-2016-2863
Published: July 4, 2016
Vulnerability identifier: #VU81
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-2863
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: IBM Corporation
Affected software:
IBM WebSphere Commerce Developer
IBM WebSphere Commerce Developer
Detailed vulnerability description
The vulnerability allows a remote attacker to conduct cross-site request forgery attacks.
The vulnerability exists due to input validation error. A remote unauthenticated attacker can trick the victim to follow a specially crafted link and take actions on the target system as if being the target authenticated user.
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer are affected.
Successful exploitation of this vulnerability may result in modification of user information.
The vulnerability exists due to input validation error. A remote unauthenticated attacker can trick the victim to follow a specially crafted link and take actions on the target system as if being the target authenticated user.
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer are affected.
Successful exploitation of this vulnerability may result in modification of user information.
How to mitigate CVE-2016-2863
IBM has issued a fix (APAR JR55776).