Lucene search

IBMD19FFEDCC427C5C86BE890AA5DFFE28B0D8F187DFC9830C779E19C4AAA1119BB

HistoryMay 10, 2024 - 4:00 p.m.

Security Bulletin: IBM App Connect Enterprise is vulnerable to an HTML injection attack (CVE-2024-28761)

2024-05-1016:00:41

www.ibm.com

ibm app connect enterprise

html injection

cve-2024-28761

vulnerability

fix pack

it45956

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Summary

IBM App Connect Enterprise Admin API and Dashboard are vulnerable to an HTML injection attack. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-28761
**DESCRIPTION:**IBM App Connect Enterprise is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285245 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.12.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.25

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Affected Product(s)

Version(s)

APAR

Remediation / Fixes

—|—|—|—

IBM App Connect Enterprise

| 12.0.1.0 - 12.0.12.0| IT45956|

The APAR (IT45956) is available from

IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.1

IBM App Connect Enterprise

| 11.0.0.1 - 11.0.0.25| IT45956|

The APAR (IT45956) is available from

IBM A pp Connect Enterprise v11- Fix Pack Release 11.0.0.26

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.12.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.25

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.12.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.25

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.12.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.25