Multiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060)
CVEID: CVE-2016-1181**
DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113852 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-1182**
DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113853 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2016-3060**
DESCRIPTION:** IBM Payments Director could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victimβs click actions and possibly launch further attacks against the victim.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114896 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-5920**
DESCRIPTION:** IBM Financial Transaction Manager for ACH Services for Multi-Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115704 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- FTM for ACH v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0
- FTM for Check v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0
- FTM for CPS v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14
Product
| VRMF| APAR| Remediation/First Fix
β|β|β|β
FTM for ACH Services| 3.0.0.0 through 3.0.0.14| PI67537| Apply 3.0.0-FTM-ACH-MP-fp0015 or later.
FTM for Check Services| 3.0.0.0 through 3.0.0.14| PI64063| Apply 3.0.0-FTM-Check-MP-fp0015 or later.
FTM for CPS Services| 3.0.0.0 through 3.0.0.14| PI64064| Apply 3.0.0-FTM-CPS-MP-fp0015 or later.
FTM for ACH Services| 3.0.1.0| PI67537| Apply 3.0.1.0-FTM-ACH-MP-iFix0002 or later.
FTM for Check Services| 3.0.1.0| PI64063| Apply 3.0.1.0-FTM-Check-MP-iFix0002 or later.
FTM for CPS Services| 3.0.1.0| PI64064| Apply 3.0.1.0-FTM-CPS-MP-iFix0002 or later.
None