SB2017082913 - Multiple vulnerabilities in IBM Sametime
Published: August 29, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2016-0358)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
IBM Sametime 8.5.2 and 9.0 could allow an unauthorized authenticated user to enumerate group chat ID numbers and join meetings that he was not invited to. IBM X-Force ID: 111928.
2) Information disclosure (CVE-ID: CVE-2016-2964)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
IBM Sametime 8.5.2 and 9.0 under certain conditions provides an error message to a user that is too detailed and may reveal details about the application. IBM X-Force ID: 113813.
3) Information disclosure (CVE-ID: CVE-2016-2966)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
IBM Sametime 8.5.1 and 9.0 could allow an authenticated user to enumerate meeting rooms by guessing the meeting room id. IBM X-Force ID: 113847.
4) Cross-site scripting (CVE-ID: CVE-2016-2967)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows users to embed arbitrary JavaScript code in the Sametime away message altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Information disclosure (CVE-ID: CVE-2016-2974)
The vulnerability allows a local authenticated user to gain access to sensitive information.
IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Rich Client, could disclose potentially sensitive information related to the Sametime environment as well as other users on the local machine of the user. IBM X-Force ID: 113934.
6) Cross-site scripting (CVE-ID: CVE-2016-2975)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Information disclosure (CVE-ID: CVE-2016-2976)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invitee to obtain previously cleared sensitive information by viewing the meeting report history. IBM X-Force ID: 113936.
8) Information disclosure (CVE-ID: CVE-2016-2978)
The vulnerability allows a local authenticated user to gain access to sensitive information.
IBM Sametime 8.5.2 and 9.0 could store potentially sensitive information from the browser cache locally that could be available to a local user. IBM X-Force ID: 113938.
9) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2016-2980)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID: 113993.
10) Input validation error (CVE-ID: CVE-2016-10503)
The vulnerability allows a remote authenticated user to manipulate data.
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated and invited user of Sametime meeting to lower any or all hands in an e-meeting, thus spoofing results of votes in the meeting. IBM X-Force ID: 113803.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://www.ibm.com/support/docview.wss?uid=swg22006441
- http://www.securityfocus.com/bid/100572
- https://exchange.xforce.ibmcloud.com/vulnerabilities/111928
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113813
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113847
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113848
- http://www.ibm.com/support/docview.wss?uid=swg22006444
- http://www.securityfocus.com/bid/100528
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113934
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113935
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113936
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113938
- http://www.ibm.com/support/docview.wss?uid=swg22006447
- http://www.securityfocus.com/bid/100531
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113993
- http://www.ibm.com/support/docview.wss?uid=swg22006439
- https://exchange.xforce.ibmcloud.com/vulnerabilities/113803