Lucene search

K
ibmIBM3BC9A05A5784FBDECC2F8733093B6FE3E6C1CDA7DAC045B259D8DAD20FBBE54A
HistorySep 21, 2023 - 9:50 a.m.

Security Bulletin: Vulnerabilities in CKEditor library affects IBM Engineering Test Management (ETM) (CVE-2021-32809, CVE-2021-37695)

2023-09-2109:50:25
www.ibm.com
7

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

60.5%

Summary

This Security Vulnerablity has been addressed in IBM Engineering Test Management. A fix is available to address the vulnerability.

Vulnerability Details

CVEID:CVE-2021-32809
**DESCRIPTION:**CKEditor is vulnerable to HTML injection. A remote authenticated attacker could inject malicious HTML code into the editor, which when viewed, would abuse the paste functionality and executed in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-37695
**DESCRIPTION:**CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Fake Objects plugin. A remote attacker could exploit this vulnerability using malformed Fake Objects HTML, which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207431 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
ETM 7.0.1
ETM 7.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading and applying the suggested fix that uses upgraded version of CKEditor.

Suggested :

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
Engineering Test Management | 7.0.1|

Download and apply ETM 7.0.1 iFix23 from Fix Central here

Engineering Test Management | 7.0.2| Download and apply ETM 7.0.2 iFix24 from Fix Central here

Workarounds and Mitigations

None

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

60.5%

Related for 3BC9A05A5784FBDECC2F8733093B6FE3E6C1CDA7DAC045B259D8DAD20FBBE54A