There are multiple security vulnerabilities in Jetspeed that affect IBM Sterling B2B Integrator
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111887> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-0712 DESCRIPTION: Apache Jetspeed is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URI path directory. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victimâs Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victimâs cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111888> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-2171 DESCRIPTION: Apache Jetspeed could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to the User Manager REST service. An attacker could exploit this vulnerability to gain unauthorized access to the application.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111889> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-0710 DESCRIPTION: Apache Jetspeed is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the User Manager service using the user or role parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111886> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2016-0709 DESCRIPTION: Apache Jetspeed could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the Import/Export function in the Portal Site Manager containing âdot dotâ sequences (/âĻ/) in a ZIP archive to upload a .jsp file to write it to a disk and execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111885> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Sterling B2b Integrator 5.2.0.1 - 5.2.6.3
PRODUCT & Version
|
Remediation/Fix
â|â
IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3
|
Apply IBM Sterling B2B Integrator version 6.0.0.0 or 5.2.6.4 available on Fix Central
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm sterling b2b integrator | eq | 5.2.0.1 | |
ibm sterling b2b integrator | eq | 5.2.6.3 |