IBM8041A928E82899EBEBAC4460B3D44898B2867717B23F962190F5D54A72C81D83Security Bulletin: Multiple Vulnerabilities in IBM Initiate Master Data Service (CVE-2014-4789, CVE-2014-4788, CVE-2014-4787, CVE-2014-4786, CVE-2014-4785, CVE-2014-4784, CVE-2014-4783)
0.005 Low
EPSS
Percentile
76.8%
Summary
Multiple Vulnerabilities discovered in web UI components of IBM Initiate Master Data Service.
Vulnerability Details
CVE-ID: CVE-2014-4789
**DESCRIPTION:**IBM Initiate Master Data Service could allow a remote attacker to hijack a valid userโs session, caused by the failure to update the session identifier after a successful authentication. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to hijack another userโs session and possibly launch further attacks on the system.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95059> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-4788
**DESCRIPTION:**IBM Initiate Master Data Service could allow a remote attacker to obtain sensitive information, caused by the lack of an autocomplete-off attribute for authentication fields within the tool. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95058> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-4787
**DESCRIPTION:**IBM Initiate Master Data Service is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victimโs Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victimโs cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95034> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-4786
**DESCRIPTION:**IBM Initiate Master Data Service is vulnerable to frame injection. A remote attacker can initiate a phishing through frames attack by inserting a malicious frame that may be used to gain unauthorized access or collect sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95033> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-4785
**DESCRIPTION:**IBM Initiate Master Data Service is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95032> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-4784
**DESCRIPTION:**IBM Initiate Master Data Service is vulnerable to frame injection. A remote attacker can initiate a phishing through frames attack by inserting a malicious frame that may be used to gain unauthorized access or collect sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95031> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-4783
**DESCRIPTION:**IBM Initiate Master Data Service is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95030> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
These vulnerabilities are known to affect the web UI components in following offerings:
IBM Initiate Master Data Service version 9.5, 9.7, 10.0, 10.1
Remediation/Fixes
_For IBM Initiate Master Data Service V9.5: _
ยท Apply_ 9.5.093013_IM_Initiate_MasterDataService_ALL_RefreshPack__ from fix central._
_For IBM Initiate Master Data Service V9.7: _
ยท Apply_ 9.7.093013_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central._
_For IBM Initiate Master Data Service V10.0: _
ยท _Apply 10.0.093013_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central. **
For IBM Initiate Master Data Service V10.1: _**
ยท Apply 10.1.093013_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.
Workarounds and Mitigations
None
Related
0.005 Low
EPSS
Percentile
76.8%