Security Bulletin: Multiple Security Vulnerabilities in Certain GUI Components of IBM Algo Credit Limits.

Summary Abstract: Multiple security vulnerabilities exist in certain GUI components of IBM Algo Credit Limits, namely ACLM Web GUI, PDS Blotter Web GUI, and ACLM Win GUI. Details of each vulnerability and the affected components are set out below. Vulnerability Details DESCRIPTION: Customers who...

CVE-2014-0894

RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and DbPass fields in an XML document...

CVE-2014-0864

Multiple cross-site request forgery CSRF vulnerabilities in Executer in RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to hijack the authentication of arbitrary users for requests that change 1 a deal's currency or 2 a...

Input validation

RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics relies on client-side input validation, which allows remote authenticated users to bypass intended dual-control restrictions and modify data via a crafted XML document, as demonstrated by...

Information disclosure

RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to obtain potentially sensitive Tomcat stack-trace information via non-printing characters in a cookie to the /classes/ URI, as demonstrated by the \x00 character...

CVE-2014-0869

CVE-2014-0869 affects IBM Algorithmics RICOS (ACL M) Web/GUI components in ACLM versions 4.5.0–4.7.0. The vulnerability is due to a decrypt function in RICOS that does not require a cryptographic key, allowing remote attackers who can sniff network traffic to supply a string argument and obtain c...

CVE-2014-0865

CVE-2014-0865 affects IBM Algorithmics RICOS (Algo Credit Limits) Web/Fat-Client UI components. The vulnerability stems from the product relying on client-side input validation, allowing an authenticated user to bypass dual-control restrictions and modify data (e.g., limits) via crafted serialize...

CVE-2014-0867

CVE-2014-0867 affects IBM Algo Credit Limits (RICOS) Web GUI, specifically rcore6/main/addcookie.jsp. The root cause is that a page in ACLM Web GUI could set/overwrite cookies for a user via manipulated links, enabling Cross-Site Cookie Setting. Affected versions are IBM Algo Credit Limits 4.5.0–...

CVE-2014-0866

CVE-2014-0866 affects IBM Algo Credit Limits (RICOS) 4.5.0–4.7.0; the SEC/IBM advisories describe plaintext submission of passwords over HTTP by the RICOS fat client (and unencrypted auth in the Blotter), enabling an attacker on the network to capture credentials. The IBM remediation is patch 4.7...

CVE-2014-0870

CVE-2014-0870 is an XSS vulnerability in IBM Algorithmics RICOS (ACL M) 4.5.0–4.7.0. The issue arises from unsanitized user-controllable input being reflected in the ACLM Web GUI and related UI components (examples include parameters in rcore6/main/showerror.jsp, buttonset.jsp, frameset.jsp, brow...

CVE-2014-0894

Summary: CVE-2014-0894 affects IBM Algo Credit Limits (RICOS ACLM) versions 4.5.0–4.7.0. Affects ACLM Web GUI; root cause is disclosure of database credentials (DbUser/DbPass) in clear text within an XML document read by the GUI, enabling an attacker to connect to the backend database and manipul...

CVE-2014-0868

CVE-2014-0868 affects IBM Algorithmics RICOS (versions 4.5.0–4.7.0) where the web client relies on client‑side input validation. This enables remote authenticated users to bypass dual‑control restrictions and modify data by manipulating an XML document, as demonstrated by altering read‑only limit...

CVE-2014-0867

rcore6/main/addcookie.jsp in RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to create or modify cookies via the query string...