Security Bulletin: IBM Security Network Protection contains a Cross-Site Request Forgery vulnerability.

Summary

IBM Security Network Protection is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Vulnerability Details

CVEID:CVE-2014-6198 **DESCRIPTION: *IBM Security Network Protection is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98610 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected Products and Versions

IBM Security Network Protection 5.3

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection| Firmware version 5.3| Install Fixpack 5.3.1 from the Available Updates page of the local management interface, or by performing a One Time Scheduled Installation from SiteProtector.

Workarounds and Mitigations

none