The issue is due to the source data validation process not being sufficiently enforced, allowing the injection of malicious source data into the Open Redirect destination. IBM X-Force ID: 206090 In order to exploit this issue, an attacker would need to persuade a victim to visit a malicious Web site.
CVE-2018-2769 IBM Security Identity Manager 6.0 and 6.0.2 has XSS via the system_profile_field parameter in the system_profile API. This API is accessible by administrators only. An attacker could exploit this vulnerability to inject web script or HTML to run remote code on the server.
CVE-2018-2768 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
CVE-2018-2767 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
CVE-2018-2766 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
CVE-2018-2765 In certain cases, an attacker could exploit the XSS vulnerability
IBM Security X-Force Exchange Governance Analyst Program
The issue is due to the source data validation process not being sufficiently enforced, allowing the injection of malicious source data into the Open Redirect destination.
In order to exploit this issue, an attacker would need to persuade a victim to visit a malicious Web site.
IBM X-Force ID: 206090
IBM Security Identity Manager Remote Code Execution Vulnerability
The issue is due to the source data validation process not being sufficiently enforced, allowing the injection of malicious source data into the Open Redirect destination. IBM X-Force ID: 206090 In order to exploit this issue, an attacker would need to persuade a victim to visit a malicious Web site.
CVE-2018-2769 IBM Security Identity Manager 6.0 and 6.0.2 has XSS via the system_profile_field parameter in the system_profile API. This API is accessible by administrators only. An attacker could exploit this vulnerability to inject web script or HTML to run remote code on the server.
CVE-2018-2768 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
CVE-2018-2767 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
CVE-2018-2766 In certain cases, an attacker could exploit the XSS vulnerability in the LDAP search functionality of IBM Security Identity Manager via a malicious LDAP request to inject web script or HTML to run remote code on the server.
How does IBM Security Identity Manager XSS work?
The vulnerability in IBM Security Identity Manager is an XSS attack that can be exploited by a malign actor to run remote code on the server. The malicious payload is injected into the search field of an LDAP request, which is then executed on the target machine when the user submits it.
Timeline
Published on: 08/30/2022 19:15:00 UTC
Last modified on: 09/02/2022 19:50:00 UTC