The “Save/Export” function available on all search result displays (tabulated results) is potentially vulnerable to a Path Traversal type attack.
CVEID: CVE-2018-1847 DESCRIPTION: IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150946> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Principal Product and Version(s)
Financial Transaction Manager for MP v2.0.0.0 through 2.0.0.5
Financial Transaction Manager for MP v2.1.0.0 through 2.1.0.4
Financial Transaction Manager for MP v2.1.1.0 through 2.1.1.4
Financial Transaction Manager for MP v3.0.0.0 through 3.0.0.8
Financial Transaction Manager for MP v3.2.0 and Financial Transaction Manager for MP v3.2.2 are not affected.
Customers are advised to download the latest version of Financial Transaction Manager from fixcentral (<https://www.ibm.com/support/home/>) to obtain the very latest version of the OAC (Web UI).
The OAC from the latest versions of the product is supported against the latest fixpack levels of each of the affected Financial Transaction Manager releases (2.0.0.5, 2.1.0.4, 2.1.1.4 and 3.0.0.9).
Customers using Financial Transaction Manager for MP v3.0.0.x may prefer to upgrade to Financial Transaction Manager for MP v3.0.0.9.
Principal Product and Version(s)
| APAR | Remediation/First Fix
—|—|—
Financial Transaction Manager for MP v2.0.0.0 through 2.0.0.5 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v2.1.0.0 through 2.1.0.4 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v2.1.1.0 through 2.1.1.4 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v3.0.0.0 through 3.0.0.8 | PI88510 | 3.0.0-FTM-MP-fp0009
None