The Universal Access component of IBM Cúram Social Program Management, when not deployed on IBM WebSphere Application Server, is vulnerable to CRLF Injection attack; this is caused by improper sanitization/escaping of a parameter on one page.
CVEID: CVE-2014-4803
A remote attacker could inject CRLF combinations into HTTP headers (HTTP Response Splitting) via parameters on one page. This may lead to attacks in the form of cross site scripting, cross-user defacement or web cache poisoning.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95305> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
The Curam product is affected in versions:
6.0 SP2
6.0.4
6.0.5
Product
| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 6.0 SP2 | Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a later interim fix level.
Cúram SPM | 6.0.4 | Visit IBM Fix Central and upgrade to 6.0.4.5 iFix007 or a later interim fix level.
Cúram SPM | 6.0.5 | Visit IBM Fix Central and upgrade to 6.0.5.5 iFix 003 or a later interim fix level.
None