7.1 High
AI Score
Confidence
Low
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.009 Low
EPSS
Percentile
82.2%
IBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0.60100 uses the same secret HMAC token across different customers’ installations, which allows remote attackers to execute arbitrary code via crafted marshalled Ruby objects in cookies to (1) Enrollment and Apple iOS Management Extender, (2) Self-service portal, (3) Trusted Services provider, or (4) Admin Portal.
packetstormsecurity.com/files/129349/IBM-Endpoint-Manager-For-Mobile-Devices-Code-Execution.html
seclists.org/fulldisclosure/2014/Dec/3
www-01.ibm.com/support/docview.wss?uid=swg21691701
www.securityfocus.com/archive/1/534131/100/0/threaded
www.securityfocus.com/bid/71424
www.securitytracker.com/id/1031306
www.redteam-pentesting.de/en/advisories/rt-sa-2014-012/-unauthenticated-remote-code-execution-in-ibm-endpoint-manager-mobile-device-management-components