The IBM FileNet Content Manager and IBM Content Foundation component “Administration Console for Content Platform Engine” (ACCE), is affected by multiple security vulnerabilities.
Advisory CVEs:
CVEID:CVE-2018-1542
**DESCRIPTION:*The Administration Console for Content Platform Engine (ACCE) included in the IBM FileNet Content Manager and IBM Content Foundation products, is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/142597 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
CVEID:CVE-2018-1555
**DESCRIPTION:*IBM FileNet Content Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/142892 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2018-1556
**DESCRIPTION:*IBM FileNet Content Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/142893 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
IBM FileNet Content Manager 5.2.1, 5.5.0
IBM Content Foundation 5.2.1, 5.5.0
IBM recommends upgrading to a supported version/release/plaform of the product that contains the fixes to these vulnerabilities.
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM FileNet Content Manager | 5.2.1 | ||
5.5.0 | PJ45334 | ||
PJ45334 | 5.2.1.7-P8CPE-IF002 - 5/24/2018 | ||
5.5.1.0-P8CPE - 6/28/2018 | |||
IBM Content Foundation | 5.2.1 | ||
5.5.0 | PJ45334 | ||
PJ45334 | 5.2.1.7-P8CPE-IF002 - 5/24/2018 | ||
5.5.1.0-P8CPE - 6/28/2018 |
In the above table, the APAR links will provide more information about the fix
None