Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5C7F4FA69211291876224CC5E5EF38063BA255404681592C01B44130CDCF968B
HistoryApr 24, 2023 - 2:55 p.m.

Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203

2023-04-2414:55:04
www.ibm.com
29
ibm
ewm
vulnerabilities
ckeditor
html injection
cross-site scripting

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.017

Percentile

87.7%

JSON

Summary

There are vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 which affects IBM Engineering Workflow Management (EWM).

Vulnerability Details

CVEID:CVE-2021-32809
**DESCRIPTION:**CKEditor is vulnerable to HTML injection. A remote authenticated attacker could inject malicious HTML code into the editor, which when viewed, would abuse the paste functionality and executed in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-37695
**DESCRIPTION:**CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Fake Objects plugin. A remote attacker could exploit this vulnerability using malformed Fake Objects HTML, which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207431 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
EWM 7.0.2
EWM 7.0.1

Remediation/Fixes

Upgrade to version 7.0.2 iFix021 or later

IBM Engineering Lifecycle Management 7.0.2 iFix021

IBM Engineering Workflow Management 7.0.2 iFix021

Upgrade to version 7.0.1 iFix021 or later

IBM Engineering Lifecycle Management 7.0.1 iFix021

IBM Engineering Workflow Management 7.0.1 iFix021

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmengineering_workflow_managementMatch7.0.1
OR
ibmengineering_workflow_managementMatch7.0.2

Related

ibm 64
nessus 21
redhat 14
github 7
osv 14
f5 1
openvas 12
fedora 3
cvelist 5
ubuntucve 5
cve 5
veracode 5
prion 5
debiancve 5
nvd 5
redhatcve 4
huntr 2
nodejs 1
ubuntu 2
githubexploit 1
hackerone 1
debian 1
redos 1
ics 1
checkpoint_advisories 1
oracle 7
ibm
ibm
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js lodash module
2023-11-29 01:44:17
Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203
2023-03-27 17:21:35
Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX
2022-03-23 11:04:44
nessus
nessus
Lodash < 4.17.21 Multiple Vulnerabilities
2021-10-04 00:00:00
RHEL 8 : Red Hat Virtualization Host security update [ovirt-4.4.8] (Moderate) (RHSA-2021:3459)
2022-09-15 00:00:00
RHEL 8 : RHV Manager security update (ovirt-engine) [ovirt-4.4.6] (Moderate) (RHSA-2021:2179)
2021-06-01 00:00:00
redhat
redhat
(RHSA-2021:2179) Moderate: RHV Manager security update (ovirt-engine) [ovirt-4.4.6]
2021-06-01 11:44:38
(RHSA-2021:3459) Moderate: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.8]
2021-09-08 11:04:34
(RHSA-2020:5611) Important: Red Hat Virtualization security, bug fix, and enhancement update
2020-12-17 08:43:33
github
github
CKEditor 4 vulnerabilities in versions <4.16.1
2021-08-23 19:42:05
Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.
2021-08-23 19:42:15
Clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality
2021-08-23 19:40:57
osv
osv
CKEditor 4 vulnerabilities in versions <4.16.1
2021-08-23 19:42:05
Clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality
2021-08-23 19:40:57
CVE-2021-37695
2021-08-13 00:15:00
f5
f5
K12492858 : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103
2022-05-06 00:00:00
openvas
openvas
Fedora: Security Advisory for ckeditor (FEDORA-2021-51457da891)
2021-10-02 00:00:00
Fedora: Security Advisory for ckeditor (FEDORA-2021-87578dca12)
2021-10-02 00:00:00
Fedora: Security Advisory for ckeditor (FEDORA-2021-72176a63a8)
2021-10-02 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: ckeditor-4.16.2-1.fc35
2021-09-24 20:59:27
[SECURITY] Fedora 33 Update: ckeditor-4.16.2-1.fc33
2021-09-29 01:10:13
[SECURITY] Fedora 34 Update: ckeditor-4.16.2-1.fc34
2021-09-29 01:10:12
cvelist
cvelist
CVE-2021-37695 Execution of JavaScript code using malformed HTML in ckeditor
2021-08-12 23:10:10
CVE-2021-32809 Arbitrary HTML injection vulnerability in ckeditor
2021-08-12 17:10:09
CVE-2020-28500 Regular Expression Denial of Service (ReDoS)
2021-02-15 00:00:00
ubuntucve
ubuntucve
CVE-2021-37695
2021-08-13 00:00:00
CVE-2021-32809
2021-08-12 00:00:00
CVE-2020-28500
2021-02-15 00:00:00
cve
cve
CVE-2021-37695
2021-08-13 00:15:07
CVE-2021-32809
2021-08-12 17:15:08
CVE-2020-28500
2021-02-15 11:15:12
veracode
veracode
Command Injection
2021-08-19 08:55:23
Cross-Site Scripting (XSS)
2021-08-20 09:54:37
Regular Expression Denial Of Service (ReDoS)
2021-02-16 04:13:54
prion
prion
Design/Logic Flaw
2021-08-13 00:15:00
Design/Logic Flaw
2021-08-12 17:15:00
Design/Logic Flaw
2021-02-15 11:15:00
debiancve
debiancve
CVE-2021-32809
2021-08-12 17:15:08
CVE-2021-37695
2021-08-13 00:15:07
CVE-2020-28500
2021-02-15 11:15:12
nvd
nvd
CVE-2021-32809
2021-08-12 17:15:08
CVE-2020-28500
2021-02-15 11:15:12
CVE-2021-37695
2021-08-13 00:15:07
redhatcve
redhatcve
CVE-2021-37695
2022-05-20 23:58:59
CVE-2020-28500
2021-02-15 21:48:23
CVE-2021-23337
2021-02-15 21:45:02
huntr
huntr
Inefficient Regular Expression Complexity in liriliri/licia
2021-07-18 15:31:06
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
2023-02-20 02:52:19
nodejs
nodejs
Command Injection
2021-05-06 16:14:39
ubuntu
ubuntu
CKEditor vulnerabilities
2022-03-23 00:00:00
CKEditor vulnerabilities
2022-03-22 00:00:00
githubexploit
githubexploit
Exploit for Prototype Pollution in Lodash
2020-12-01 09:45:48
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash)
2019-10-11 12:06:20
debian
debian
[SECURITY] [DLA 2813-1] ckeditor security update
2021-11-09 08:52:03
redos
redos
ROS-20240418-08
2024-04-18 00:00:00
ics
ics
Siemens SINEC INS
2022-09-15 12:00:00
checkpoint_advisories
checkpoint_advisories
JavaScript Prototype Pollution (CVE-2020-28269; CVE-2020-28272; CVE-2020-28273; CVE-2020-28442; CVE-2020-28458; CVE-2020-28472; CVE-2020-7778; CVE-2020-8158; CVE-2020-8203; CVE-2021-25912; CVE-2021-44906)
2020-06-21 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.017

Percentile

87.7%

JSON
Related for 5C7F4FA69211291876224CC5E5EF38063BA255404681592C01B44130CDCF968B
ibm64nessus21redhat14github7osv14f51openvas12fedora3cvelist5ubuntucve5cve5veracode5prion5debiancve5nvd5redhatcve4huntr2nodejs1ubuntu2githubexploit1hackerone1debian1redos1ics1checkpoint_advisories1oracle7