Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM9D82307350DBA3C2E732B519728ADCBBA4E42942EC2EDA1387CCB763432CAFAB
HistoryJun 06, 2019 - 4:40 p.m.

Security Bulletin: IBM API Connect V5 is impacted by Cross Site Scripting vulnerability (CVE-2016-10531 CVE-2018-3721 CVE-2017-0268)

2019-06-0616:40:01
www.ibm.com
23

EPSS

0.007

Percentile

80.1%

JSON

Summary

API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2017-0268
**DESCRIPTION:*Microsoft Server Message Block 1.0 (SMBv1) could allow a remote attacker to obtain sensitive information, caused by improper handling of incoming requests. By sending specially-crafted packet data to the server, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125554&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2018-3721
**DESCRIPTION:*Node.js lodash module could allow a remote attacker to bypass security restrictions, caused by a flaw in the defaultsDeep, 'merge, and mergeWith functions. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144603&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2016-10531
**DESCRIPTION:*Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149101&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected IBM API Management Affected Versions
IBM API Connect 5.0.0.0-5.0.8.6

Remediation/Fixes

Affected Product Fixed in VRMF APAR Remediation / First Fix
IBM API Connect V5.0.0.0-5.0.8.6 5.0.8.6 iFix

LI80859

|

Addressed in IBM API Connect V5.0.8.6 iFix.

Management server is impacted.

Follow this link and find the appropriate package:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.6&platform=All&function=all&source=fc

Workarounds and Mitigations

None

Related

ibm 17
nessus 11
osv 4
nvd 10
nodejs 2
github 2
debiancve 2
cvelist 9
cve 10
ubuntucve 2
prion 10
redhatcve 1
veracode 1
hackerone 1
mscve 1
symantec 1
openvas 10
mskb 11
kaspersky 2
redhat 1
ics 1
kitploit 1
trendmicroblog 1
ibm
ibm
Security Bulletin: IBM API Connect is affected by vulnerabilities in Node JS modules (CVE-2018-3721 CVE-2016-10531)
2019-04-29 22:25:02
Security Bulletin: Multiple vulnerabilities affect IBM Voice Gateway
2018-12-06 18:55:01
Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities.
2019-04-01 17:05:01
nessus
nessus
RHEL 8 : lodash (Unpatched Vulnerability)
2024-05-11 00:00:00
Microsoft Windows SMBv1 Multiple Vulnerabilities
2017-05-26 00:00:00
Microsoft Security Advisory 4025685: Windows Vista (June 2017)
2017-06-14 00:00:00
osv
osv
Prototype Pollution in lodash
2018-07-26 15:14:52
Sanitization bypass using HTML Entities in marked
2019-02-18 23:58:20
CVE-2016-10531
2018-05-31 20:29:01
nvd
nvd
CVE-2018-3721
2018-06-07 02:29:08
CVE-2016-10531
2018-05-31 20:29:01
CVE-2016-1000013
2018-06-17 20:29:00
nodejs
nodejs
Sanitization bypass using HTML Entities
2016-04-18 16:26:59
Prototype Pollution
2018-04-24 14:27:02
github
github
Sanitization bypass using HTML Entities in marked
2019-02-18 23:58:20
Prototype Pollution in lodash
2018-07-26 15:14:52
debiancve
debiancve
CVE-2018-3721
2018-06-07 02:29:08
CVE-2016-10531
2018-05-31 20:29:01
cvelist
cvelist
CVE-2018-3721
2018-06-07 02:00:00
CVE-2016-10531
2018-05-31 20:00:00
CVE-2017-0276
2017-05-12 14:00:00
cve
cve
CVE-2018-3721
2018-06-07 02:29:08
CVE-2016-10531
2018-05-31 20:29:01
CVE-2016-1000013
2018-06-17 20:29:00
ubuntucve
ubuntucve
CVE-2018-3721
2018-06-07 00:00:00
CVE-2016-10531
2018-05-31 00:00:00
prion
prion
Code injection
2018-06-07 02:29:00
Code injection
2018-05-31 20:29:00
Design/Logic Flaw
2018-06-17 20:29:00
redhatcve
redhatcve
CVE-2018-3721
2018-02-15 19:19:56
veracode
veracode
Prototype Pollution
2018-02-15 05:19:49
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash)
2018-01-30 06:36:13
mscve
mscve
Windows SMB Information Disclosure Vulnerability
2017-05-09 07:00:00
symantec
symantec
Microsoft Windows SMB Server CVE-2017-0268 Information Disclosure Vulnerability
2017-05-09 00:00:00
openvas
openvas
Discourse < 2.3.0.beta10 Multiple Vulnerabilities
2019-06-17 00:00:00
Microsoft SMB Multiple Vulnerabilities (KB4018466)
2017-05-10 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4019623)
2017-06-19 00:00:00
mskb
mskb
Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017
2017-05-09 07:00:00
May 9, 2017—KB4019213 (Security-only update)
2017-05-09 07:00:00
May 9, 2017—KB4019214 (Security-only update)
2017-05-09 07:00:00
kaspersky
kaspersky
KLA11009 Multiple vulnerabilities in Microsoft Windows
2017-05-09 00:00:00
KLA11077 Multiple vulnerabilities in Microsoft Products (ESU)
2017-05-09 00:00:00
redhat
redhat
(RHSA-2021:3917) Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update
2021-10-19 12:05:33
ics
ics
Philips Intellispace Portal ISP Vulnerabilities
2018-02-27 12:00:00
kitploit
kitploit
Trivy - A Simple And Comprehensive Vulnerability Scanner For Containers, Suitable For CI
2019-11-05 12:00:00
trendmicroblog
trendmicroblog
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 8, 2017
2017-05-12 16:47:57

EPSS

0.007

Percentile

80.1%

JSON
Related for 9D82307350DBA3C2E732B519728ADCBBA4E42942EC2EDA1387CCB763432CAFAB
ibm17nessus11osv4nvd10nodejs2github2debiancve2cvelist9cve10ubuntucve2prion10redhatcve1veracode1hackerone1mscve1symantec1openvas10mskb11kaspersky2redhat1ics1kitploit1trendmicroblog1