A recent penetration test in the product identified that an open redirect issue exists in the IBM Cúram Social Program Management product. The issue could enable a remote attacker to use an attack vector to conduct an open redirect attack, where a redirect value is not validated.
CVEID: CVE-2018-1654 DESCRIPTION: IBM Cúram Social Program Management could enable a remote attacker to conduct phishing attacks by using an open redirect attack. By persuading a victim to visit a specially crafted web site, a remote attacker could exploit the open redirect vulnerability to spoof the displayed URL to redirect a user to a malicious web site that appears to be trusted. The attacker could then obtain highly sensitive information or conduct further attacks against the victim.
_CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144747>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
IBM Cúram Social Program Management 7.0.2.0 - 7.0.3.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10
_Product _
| _VRMF _ | Remediation/First Fix
—|—|—
Cúram SPM |
7.0.4
| Visit IBM Fix Central and upgrade to 7.0.4.0 or a subsequent 7.0.4 release.
Cúram SPM |
7.0.1
| Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM |
6.2.0
| Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM |
6.1.1
| Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM |
6.0.5
| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.