IBM Cúram Social Program Management is vulnerable to Java reflection attack caused by external input that is used to specify a class. A remote attacker could exploit this vulnerability by injecting arbitrary class names which will be subsequently loaded.
CVE-2014-8903
CVSS Base Score: 4.9
CVSS Temporal Score: See_ _https://exchange.xforce.ibmcloud.com/vulnerabilities/99186 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)
IBM Cúram Social Program Management: V6.0 SP2, 6.0.4 and 6.0.5.**
NOTE:** 6.0.5.5a is not affected
Product
| VRMF| Remediation/First Fix
—|—|—
Cúram SPM| 6.0.5| Visit IBM Fix Central and upgrade to 6.0.5.6 or a subsequent 6.0.5 release
Cúram SPM| 6.0.4| Visit IBM Fix Central and upgrade to 6.0.4.5iFix10 or a subsequent 6.0.4 release.
Cúram SPM| 6.0 SP2| Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a subsequent 6.0 SP2 release.
.