Security Bulletin: IBM Cúram Social Program Management contains a stored cross-site scripting vulnerability (CVE-2018-1900)

Summary

A recent product penetration test identified that a stored cross-site scripting vulnerability exists in IBM Cúram Social Program Management. The issue relates to the rendering of some rich text fields if they pass through the same infrastructure, renderer, or converter where malicious content could be injected.

Vulnerability Details

CVEID: CVE-2018-1900 DESCRIPTION: IBM Cúram Social Program Management is vulnerable to cross-site scripting. The vulnerability enables users to embed arbitrary JavaScript code in the web user interface that alters the intended functionality and potentially leads to credentials disclosure within a trusted session.
_CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152529&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.2.0 - 7.0.4.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

_Product _

| _VRMF _ | Remediation/First Fix
—|—|—
Cúram SPM |

7.0.4

| Visit IBM Fix Central and upgrade to 7.0.4.0 iFix1 or a subsequent 7.0.4 release.
Cúram SPM | 7.0.1 | Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM |

6.2.0

| Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM |

6.1.1

| Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM |

6.0.5

| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.