IBM Cúram Social Program Management Universal Access is vulnerable to Insecure Direct Object Reference. An authenticated user may have the ability to withdraw another user’s submitted applications from the system and possibly obtain privileges.
CVEID: CVE-2018-1362**
DESCRIPTION:** IBM Cúram Social Program Management within Citizen Portal could allow an authenticated user to withdraw other user’s submitted applications from the system and possibly obtain privileges.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137380 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.1
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10
Product
| VRMF| Remediation/First Fix
—|—|—
IBM Cúram Social Program Management| 7.0| Visit IBM Fix Central and upgrade to 7.0.1.1_iFix3 or a subsequent 7.0.1 release
IBM Cúram Social Program Management| 6.2| Visit IBM Fix Central and upgrade to 6.2.0.6_iFix1 or a subsequent 6.2.0 release
IBM Cúram Social Program Management| 6.1| Visit IBM Fix Central and upgrade to 6.1.1.6_iFix1 or a subsequent 6.1.1 release
IBM Cúram Social Program Management| 6.0.5| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix3 or a subsequent 6.0.5 release
For information on all other versions please contact Cúram Customer Support.