Main Vulnerability Database Vulnerabilities #VU16636

#VU16636 Cross-site request forgery in IBM DataPower Gateway - CVE-2018-1661

Published: December 20, 2018

Vulnerability identifier: #VU16636

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-1661

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
IBM DataPower Gateway

Software vendor:
IBM Corporation

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially specially crafted web page and execute malicious and unauthorized actions transmitted from a user that the website trusts.

Remediation

Install update from vendor's website:

IBM DataPower Gateway	7.6.0.10	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.2.17	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.1.17	IT26364	Install the fix pack.
IBM DataPower Gateway	7.5.0.18	IT26364	Install the fix pack.

#VU16636 Cross-site request forgery in IBM DataPower Gateway - CVE-2018-1661

Description

Remediation

External links

Please verify you're human