Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6DB4B96CADB89549B80DFF865EDF03DEB0A83BFAE2F88AD36602806813523E17
HistoryJun 17, 2018 - 1:05 p.m.

Security Bulletin: IBM Cúram Social Program Management is vulnerable to cross-site request forgery attacks (CVE-2014-6090).

2018-06-1713:05:25
www.ibm.com
4

0.002 Low

EPSS

Percentile

62.2%

JSON

Summary

IBM Cúram Social Program management contains a number of servlets which do not adequately protect against CSRF. This could potentially allow an attacker to affect the integrity of data managed by these servlets.

Vulnerability Details

CVEID: CVE-2014-6090**
DESCRIPTION:** IBM Curam Social Program Management is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95868 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

5.2 SP6
6.0 SP2
6.0.3
6.0.4
6.0.5

Remediation/Fixes

_Product _

| _VRMF _| Remediation/First Fix
—|—|—
Cúram SPM| 6.0.5| Visit IBM Fix Central and upgrade to 6.0.5.6 or a subsequent 6.0.5 release.
Cúram SPM| 6.0.4| Visit IBM Fix Central and upgrade to 6.0.4.5 iFix10 or a subsequent 6.0.4 release.
Cúram SPM| 6.0.3| Visit IBM Fix Central and upgrade to 6.0.3.0 iFix8 or a subsequent 6.0.3 release.
Cúram SPM| 6.0 SP2| Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a subsequent 6.0 SP2 release.
Cúram SPM| 5.2 SP6| Visit IBM Fix Central and upgrade to 5.2 SP6 EP6 or a subsequent 5.2 SP6 release.

Workarounds and Mitigations

There are a number of options to mitigate this issue. The general premise behind these mitigations is that generally these servlets are more useful in development and test environments than in the live system

Mitigation 1
This issue can be worked around by NOT deploying the following servlets to your live system:
DataMappingEditorCommands
DatastoreEditorCommands
IEGEditorCommands

Mitigation 2
This issue can be worked around by modifying user roles so that these servlets cannot be accessed by any users in the production environment. This can be achieved using standard Curam user interface for security roles.

Related

cvelist 1
nvd 1
cve 1
prion 1
cvelist
cvelist
CVE-2014-6090
2015-04-27 01:00:00
nvd
nvd
CVE-2014-6090
2015-04-27 11:59:00
cve
cve
CVE-2014-6090
2015-04-27 11:59:00
prion
prion
Cross site request forgery (csrf)
2015-04-27 11:59:00

0.002 Low

EPSS

Percentile

62.2%

JSON
Related for 6DB4B96CADB89549B80DFF865EDF03DEB0A83BFAE2F88AD36602806813523E17
cvelist1nvd1cve1prion1