TADDM fails to properly check for authorization when allowing a user to view BIRT reports. It is possible to bypass authorization in the application via parameters manipulation in the BIRT reporting URL.
CVE-2013-2974 BIRT viewer allow bypass authorization
Description
It is possible to bypass authorization in the application via parameters manipulation in the BIRT reporting URL. That allow any user to obtain report administration functionality, thereby allowing them to create/delete reports or exploit vulnerabilities such as SQL injection that exists in the BIRT viewer.
CVSS Base Score: 6.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/83877>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)
TADDM 7.2.1.0 through 7.2.1.4 (fix included in TADDM 7.2.1.5 and TADDM 7.2.2.0)
Apply the latest fixpack 7.2.1.5 or upgrade to 7.2.2
If you are unable to upgrade, please contact IBM Technical Support.
None