SB2018060507 - Multiple vulnerabilities in IBM Information Server
Published: June 5, 2018 Updated: June 5, 2018
Security Bulletin ID
SB2018060507
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-frame scripting (CVE-ID: CVE-2018-1432)
The vulnerability allows a remote attacker to execute a cross-frame scripting (XFS) attack.The weakness exists due to insufficient protections for HTML inline frames (iframes). A remote attacker can trick the victim into visiting a specially crafted website, load valid content from the target system within an HTML iframe and attempt to conduct cross-site scripting, cross-site request forgery, clickjacking, or phishing attacks.
2) Man-in-the-middle attack (CVE-ID: CVE-2018-1454)
The vulnerability allows a remote attacker to conduct man-in-the-middle attack.
The vulnerability exists due to system does not properly enable HTTP Strict Transport Security. A remote attacker can conduct man-in-the-middle attack, intercept of the communication channel between the affected app and access arbitrary data.
3) Privilege escalation (CVE-ID: N/A)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper access controls. A local attacker can escalate his privileges to administrator and perform further attacker.
Remediation
Install update from vendor's website.