Lucene search

IBM292D91FB28F9C9117B85FB71D1836FB3B9534F81AD7E4A1AA14ADCB364829BA7

HistoryJan 10, 2023 - 10:31 a.m.

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to cross-site scripting due to Apache Tomcat (CVE-2022-34305)

2023-01-1010:31:23

www.ibm.com

ibm sterling partner engagement manager

cross-site scripting

apache tomcat

cve-2022-34305

vulnerability

remediation

version 6.1.2.7

version 6.2.0.5

version 6.2.1.2

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.0%

JSON

Summary

IBM Sterling Partner Engagement Manager has addressed a vulnerability published by Apache Tomcat for cross-site scripting.

Vulnerability Details

CVEID:CVE-2022-34305
**DESCRIPTION:**Apache Tomcat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the Form authentication example in the examples web application to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Partner Engagement Manager Standard	6.1.2, 6.2.0, 6.2.1

Remediation/Fixes

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.7	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.5	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.1.2	https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.2&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.1

ibmmulti-enterprise_integration_gatewayMatch6.2

ibmmulti-enterprise_integration_gatewayMatch6.2.1

VendorProductVersionCPE
ibmmulti-enterprise_integration_gateway6.1cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.2cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.2.1cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	multi-enterprise_integration_gateway	6.1	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1:::::::*
ibm	multi-enterprise_integration_gateway	6.2	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2:::::::*
ibm	multi-enterprise_integration_gateway	6.2.1	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.1:::::::*