#VU81247 Improper Neutralization of Special Elements in Output Used by a Downstream Component in IBM Engineering Lifecycle Optimization - Publishing - CVE-2021-39028

Cybersecurity Help s.r.o.

Published: 2023-09-28

Vulnerability identifier: #VU81247

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-39028

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Engineering Lifecycle Optimization - Publishing
Other software / Other software solutions

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to perform various attacks.

The vulnerability exists due to improper validation of input by the HOST headers. A remote user can conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Engineering Lifecycle Optimization - Publishing: 6.0.6 - 7.0.2

External links
https://exchange.xforce.ibmcloud.com/vulnerabilities/213866
https://www.ibm.com/support/pages/node/6603347

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper neutralization of special elements in output used by a downstream component in  IBM CICS TX Advanced

Multiple vulnerabilities in IBM CICS TX Standard