SB2014050901 - Multiple vulnerabilities in IBM Operational Decision Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014050901

SB2014050901 - Multiple vulnerabilities in IBM Operational Decision Manager

Published: May 9, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014050901
Severity
Low
Patch available
NO
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2014-0944)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Cross-site scripting (CVE-ID: CVE-2014-0945)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Information disclosure (CVE-ID: CVE-2014-0946)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 does not send appropriate Cache-Control HTTP headers, which allows remote attackers to obtain sensitive information by leveraging an unattended workstation.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References