Security Bulletin: A page in IBM Curam Universal Access contains a risk of Sensitive Information Exposure(CVE-2014-4804)

Summary

It may be possible for a remote attacker to access sensitive information about a user and associated data via a single page in IBM Curam Universal Access.

Vulnerability Details

CVEID:CVE**-2014-4804**

It may be possible for a remote attacker to access sensitive information via a particular page in IBM Curam Universal Access. In default configuration this is not possible, however, if the page has been customized to include SPI then this SPI would be at risk.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95306 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Cúram Social Program Management
5.2
6.0 SP2
6.0.4.5
6.0.5.4
6.0.5.5

Remediation/Fixes

Product

| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 5.2 | Visit IBM Fix Central and upgrade to 5.2 SP6 EP6 or a later interim fix level.
Cúram SPM | 6.0 SP2 | Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a later interim fix level.
Cúram SPM | 6.0.4.5 | Visit IBM Fix Central and upgrade to 6.0.4.5 iFix007 or a later interim fix level.
Cúram SPM | 6.0.5.4 | Visit IBM Fix Central and upgrade to 6.0.5.4 iFix005 or a later interim fix level.
Cúram SPM | 6.0.5.5 | Visit IBM Fix Central and upgrade to 6.0.5.5 iFix 003 or a later interim fix level.