Security Bulletin: IBM Cúram Social Program Management contains a cross-site request forgery vulnerability in the REST API (CVE-2018-2001)

Summary A recent product security scanning exercise identified that a cross-site request forgery vulnerability exists within REST in IBM Cúram Social Program Management. The issue relates to the checking of the HTTP referrer header for GET requests on the server side, which should be checked in a...

Security Bulletin: IBM Cúram Social Program Management contains a stored cross-site scripting vulnerability (CVE-2018-1900)

Summary A recent product penetration test identified that a stored cross-site scripting vulnerability exists in IBM Cúram Social Program Management. The issue relates to the rendering of some rich text fields if they pass through the same infrastructure, renderer, or converter where malicious...

IBM Cúram Social Program Management Cross-Site Scripting Vulnerability (CNVD-2018-26360)

IBM Cúram Social Program Management SPM is a suite of social program management solutions from IBM USA. The solution supports the process of end-to-end social program delivery. A cross-site scripting vulnerability exists in IBM Cúram SPM, which can be exploited by remote attackers to inject...

CVE-2018-1900

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

Open redirect

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL...

CVE-2018-1654

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL...

Cross site scripting

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2018-1900

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2018-1654

IBM Cúram Social Program Management CVE-2018-1654 is an open redirect vulnerability that enables a remote attacker to perform phishing by spoofing the displayed URL and redirecting users to a malicious site. Affected IBM Cúram SPM versions span 6.0.5.0–6.2.0.6, 7.0.0.0–7.0.3.0, with remediation g...

CVE-2018-1654

IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL...

CVE-2018-1900

CVE-2018-1900 is a stored cross-site scripting vulnerability in IBM Cúram Social Program Management. IBM’s bulletin lists affected versions: 6.0.5.x, 6.1.0.x–6.1.1.x, 6.2.0.x, 7.0.1, 7.0.3 (and 7.0.2.x–7.0.4.x in 7.0 line). The issue arises in rendering rich text fields when content can pass thro...

CVE-2018-1671

IBM Curam Social Program Management 7.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-force ID: 144951...

CVE-2018-1671

CVE-2018-1671 affects IBM Curam Social Program Management 7.0.3, via the Social Program Management Design System HTML injection vulnerability. The Design System component (versions prior to 1.4.0) allows remote HTML injection executed in the victim’s browser within the hosting site’s security con...

CVE-2018-1671

IBM Curam Social Program Management 7.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-force ID: 144951...

Security Bulletins for Emptoris Program Management

Question Security Bulletins for Emptoris Program Management Answer This article tracks all Security Bulletins for Emptoris Program Management. IBM's Product Security Incident Response Team PSIRT follows the NIST guidelines for determining the severity rating of the reported vulnerability - see "N...

Security Bulletin: Vulnerability in Apache Batik affects IBM Cúram Social Program Management (CVE-2018-8013)

Summary IBM Cúram Social Program Management uses the Apache Batik Library. In Apache Batik library prior to version 1.10, the class type has not being checked during the deserialization process of the subclass of AbstractDocument. Fix has been put in place to check the class type before...

Security Bulletin: IBM Cúram Social Program Management contains an open redirect vulnerability (CVE-2018-1654)

Summary A recent penetration test in the product identified that an open redirect issue exists in the IBM Cúram Social Program Management product. The issue could enable a remote attacker to use an attack vector to conduct an open redirect attack, where a redirect value is not validated...

Security Bulletin: IBM Social Program Management Design System contains an HTML injection vulnerability (CVE-2018-1671)

Summary An HTML injection vulnerability was detected in the IBM Social Program Management Design System component of the IBM Cúram Social Program Management product. It was discovered that input data for some tags was not sanitized in a secure way. Vulnerability Details CVEID: CVE-2018-1671...

Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement (CVE-2018-1621)

Summary The IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement products are affected by a vulnerability that exists in the IBM WebSphere Application Server. The security bulletin includes issue...

Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement (CVE-2018-1614)

Summary The IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement products are affected by a vulnerability that exists in the IBM WebSphere Application Server. The security bulletin includes issue...