SB2018011203 - Multiple vulnerabilities in IBM Security Access Manager
Published: January 12, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2017-1533)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Open redirect (CVE-ID: CVE-2017-1534)
The vulnerability allows a remote attacker to redirect the target user to external websites.The vulnerability exists due to insufficient sanitization of untrusted input data when performing redirects to external websites. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site.
3) Security restrictions bypass (CVE-ID: CVE-2017-1459)
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.The weakness exists due to permissions error. A remote attacker can bypass security restrictions to access and modify a security-critical resource.
4) Information disclosure (CVE-ID: CVE-2017-1478)
The vulnerability allows a local attacker to obtain potentially sensitive information.The weakness exists due to unspecified error. A local attacker can obtain potentially sensitive information from web pages stored locally on the target system.
Remediation
Install update from vendor's website.