Lucene search

IBM7D9157878D34E31B6905517D18EF9238E3F0D139A819511172407A5F301D9599

HistoryFeb 28, 2023 - 8:44 p.m.

Security Bulletin: Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities.

2023-02-2820:44:34

www.ibm.com

ibm financial transaction manager

digital payments

high value payments

corporate payment services

access control

sensitive information disclosure

cross site scripting

directory traversal

xml external entity injection

remote attacker

vulnerability

javascript code

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.002 Low

EPSS

Percentile

52.5%

JSON

Summary

The vulnerabilities addressed include access control, sensitive information disclosure, cross site scripting and directory traversal.

Vulnerability Details

CVEID:CVE-2020-5002
**DESCRIPTION:**IBM Financial Transaction Manager could allow an authenticated user to perform unauthorized actions due to improper validation.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-5003
**DESCRIPTION:**IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID:CVE-2020-5001
**DESCRIPTION:**IBM Financial Transaction Manager could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192953 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-5000
**DESCRIPTION:**IBM Financial Transaction Manager 3.0.2 and 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192952.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192952 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-5026
**DESCRIPTION:**IBM Financial Transaction Manager for Digital Payments for Multi-Platform could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193662 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)

Financial Transaction Manager for Corporate Payment Services for

Multi-Platform

| 3.2.0-3.2.10
Financial Transaction Manager for Digital Payments for Multi-Platform| 3.2.0-3.2.10
Financial Transaction Manager for High Value Payments for Multi-Platform| 3.2.0-3.2.10

Remediation/Fixes

Affected Product	Resolved by VRMF	Remediation / First Fix
Financial Transaction Manager for Corporate Payment Services for Multi-Platform 3.2.0-3.2.10	3.2.11	FTM CPS 3.2.11
Financial Transaction Manager for Digital Payments for Multi-Platform 3.2.0 - 3.2.10	3.2.11	FTM DP 3.2.11
Financial Transaction Manager for High Value Payments for Multi-Platform 3.2.0 - 3.2.10	3.2.11	FTM HVP 3.2.11

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmfinancial_transaction_managerMatch3.2.0

ibmfinancial_transaction_managerMatch3.2.4

ibmfinancial_transaction_managerMatch3.2.6

ibmfinancial_transaction_managerMatch3.2.8

ibmfinancial_transaction_managerMatch3.2.9

ibmfinancial_transaction_managerMatch3.2.10

CPENameOperatorVersion
ibm financial transaction managereq3.2.0
ibm financial transaction managereq3.2.4
ibm financial transaction managereq3.2.6
ibm financial transaction managereq3.2.8
ibm financial transaction managereq3.2.9
ibm financial transaction managereq3.2.10

Name	Operator	Version
ibm financial transaction manager	eq	3.2.0
ibm financial transaction manager	eq	3.2.4
ibm financial transaction manager	eq	3.2.6
ibm financial transaction manager	eq	3.2.8
ibm financial transaction manager	eq	3.2.9
ibm financial transaction manager	eq	3.2.10

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.002 Low

EPSS

Percentile

52.5%

JSON

Related for 7D9157878D34E31B6905517D18EF9238E3F0D139A819511172407A5F301D9599