IBM Event Processing is vulnerable to cross-site request forgery(XSS) due to axios-0.27.2.tgz. Axios is a library used in nodejs component which is used to build Event Processing UI. CVE-2023-45857 is applicable to all axios package before 1.6.0 which results in a xss vulnerability.
CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Event Processing | 1.0.0-1.1.0 |
IBM strongly recommends addressing the vulnerability now by upgrading
Upgrade to IBM Event Processing 1.1.1 by following the upgrading and migrating documentation.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm event automation | eq | any |