IBM887C053BE412E089D2EF4835FBE76967F83D2AFD9F7940C1FD7E42D8F04777D4Security Bulletin: IBM Event Processing is vulnerable to cross-site request forgery(XSS) due to the Axios (CVE-2023-45857).
Summary
IBM Event Processing is vulnerable to cross-site request forgery(XSS) due to axios-0.27.2.tgz. Axios is a library used in nodejs component which is used to build Event Processing UI. CVE-2023-45857 is applicable to all axios package before 1.6.0 which results in a xss vulnerability.
Vulnerability Details
CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Event Processing | 1.0.0-1.1.0 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading
Upgrade to IBM Event Processing 1.1.1 by following the upgrading and migrating documentation.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm event automation | eq | any |
Related
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.0%