Multiple security vulnerabilities have been found in IBM products - WAF | Web Application Firewall | Kubernetes

Common Vulnerabilities and Exposures

Multiple security vulnerabilities have been found in IBM products

December 21, 2019

Overview :

Multiple security vulnerabilities have been fixed and delivered in IBM products.

Affected Product(s) :

IBM Financial Transaction Manager 3.0
IBM Cognos Business Intelligence 10.2.2
IBM Cognos Analytics 11.1
IBM Cognos Analytics 11.0

Vulnerability Details :

CVE ID :	CVE-2019-4736
	IBM Financial Transaction Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172706 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID :	CVE-2019-4742
	IBM Financial Transaction Manager could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172877 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE ID :	CVE-2019-4743
	IBM Financial Transaction Manager does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172880 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVE ID :	CVE-2019-4544
	IBM Financial Transaction Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172882 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE ID :	CVE-2018-1934
	IBM Cognos Business Intelligence is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153179 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID :	CVE-2019-4231
	IBM Cognos Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159356 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID :	CVE-2019-4555
	IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166204 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Solution :

Affected Product / Version	Fix availability
IBM Financial Transaction Manager 3.0	IBM Cognos Business Intelligence 10.2.2 IF22
IBM Cognos Business Intelligence 10.2.2	Fix Pack 13 of IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.0.
IBM Cognos Analytics 11.1	IBM Cognos Analyticxs 11.1.4.0
IBM Cognos Analytics 11.0	IBM Cognos Analytics 11.0.13 Fix Pack 3

CVE-2018-1934 CVE-2019-4231 CVE-2019-4544 CVE-2019-4555 CVE-2019-4736 CVE-2019-4742 CVE-2019-4743 IBM Cognos Business Intelligence 10.2.2 IBM Financial Transaction Manager 3.0

Advanced Machine Learning Based Web Security Solution

The Prophaze WAF can be deployed in any Public cloud such as AWS, GCP, Azure, Digital Ocean and on Private Cloud instance like Microk8s

100%

The security of your details is important to us. Prophaze Technologies collects a variety of data that you provide directly to us. The types of data we gather will depend upon the services you use, how you use them, and what you choose to provide. We process your details when necessary to provide you with the services that you have requested when accepting our Terms of Services or when we have the legitimate interest(security, testing, analytics, and so on) to do so please checkout our page.

Demo Request Form

Overlay Image

100% Advanced Machine Learning Based Bot Management Solution

Demo Request Form

Subscribe to Get Updated News on this CVE

Live Threat - Detect - Identify and Mitigation Platform

Prophaze All in One Web Security Platform

Overlay Image

Request Demo

Please fill in your details below we willget in touch with you