IBMD3E3E30DD17917BF9F66F0BDCDCE19086E985E7825B6FC5FBB6A1E1701F729AASecurity Bulletin: Financial Transaction Manager for ACH Services and Corporate Payment Services has a potential Cross Site Scripting vulnerability (CVE-2017-1634)
Summary
Financial Transaction Manager (FTM) for ACH Services and FTM for Corporate Payment Services has addressed a potential Cross Site Scripting vulnerability.
Vulnerability Details
CVEID: CVE-2017-1634**
DESCRIPTION:** IBM Financial Transaction Manager (FTM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, thus altering the intended functionality, potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133242 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
- FTM for ACH Services v3.0.0, v3.0.1, v3.0.2.0 - 3.0.2.1, v3.0.3, v3.0.4
- FTM for CPS v3.0.0, v3.0.1, v3.0.2.0 - 3.0.2.1, v3.0.3, v3.0.4
Remediation/Fixes
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
FTM for ACH Services| 3.0.0,
3.0.1,
3.0.2.0 through 3.0.2.1,
3.0.3.0,
3.0.4.0| PI87192| 3.0.0 apply 3.0.4-FTM-ACH-MP-fp0001 or later
3.0.1 apply 3.0.4-FTM-ACH-MP-fp0001 or later
3.0.2 apply 3.0.2.1-FTM-ACH-MP-iFix0006 or later.
3.0.3 apply 3.0.3.0-FTM-ACH-MP-iFix0004 or later.
3.0.4 apply 3.0.4.0-FTM-ACH-MP-iFix0002 or later, or 3.0.4-FTM-ACH-MP-fp0001 or later
FTM for CPS| 3.0.0,
3.0.1,
3.0.2.0 through 3.0.2.1,
3.0.3,
3.0.4| PI87192| 3.0.0 apply 3.0.4.0-FTM-CPS-MP-iFix0002 or later
3.0.1 apply 3.0.4.0-FTM-CPS-MP-iFix0002 or later
3.0.2 apply 3.0.2.1-FTM-CPS-MP-iFix0006 or later.
3.0.3 apply 3.0.4.0-FTM-CPS-MP-iFix0002 or later
3.0.4 apply 3.0.4.0-FTM-CPS-MP-iFix0002 or later.
Workarounds and Mitigations
None
