IBM Cúram Universal Access is vulnerable to CRLF Injection attack when not deployed on IBM WebSphere.
CVE ID:CVE-2014-3069__ __
DESCRIPTION:
The Universal Access component of IBM Cúram Social Program Management, when not deployed on IBM WebSphere Application Server, is vulnerable to CRLF Injection attack caused by improper sanitization of the user supplied code that is output into an http response header field. A remote attacker could inject CRLF combinations into HTTP headers in the custom JSPs using multiple unspecified parameters, which will allow the attacker to take control of a user’s session/credentials or in some cases to prepare and make the web application more amenable to future attacks. These come in many forms including cross site scripting and HTTP Response Splitting.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94839 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Cúram Social Program Management – Universal Access
All products are affected when running code release 6.0.5.5.
Product
| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 6.0.5.5 | Visit IBM Fix Central and upgrade to iFix 1 which is available from this direct link (opens in a new window).
None