For example, an attacker who is logged into the system as an administrator could log another administrator out of the system. This action would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on the nature of the data that is stored on the system.

Due to the lack of session validation in IBM Sterling Partner Engagement Manager 2.0, attackers can change the administrator password via email and change the password of another administrator via the web interface, allowing the attacker to potentially escalate privileges and/or access critical information on the system. IBM X-Force ID: 229513.

Due to this misconfiguration, the administrator's email address is visible in the web interface. An attacker who knows the email address of an administrator can easily impersonate this administrator via email and then gain full access to the system. IBM X-Force ID: 229507.

Due to the lack of session validation in IBM Sterling Partner Engagement Manager 2.0, an attacker who is logged into the system as an administrator could log another administrator out of the system. This action would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on the nature of the data that is stored on the system.

Due to the lack of session validation in IBM Sterling Partner Engagement Manager 2

IBM X-Force ID: 229388

For example, an administrative account could be created that allows the attacker to modify system files that are stored in the registry.

Due to this misconfiguration, the administrator's email address is visible in the web interface. An attacker who knows the email address of an administrator can easily impersonate this administrator via email and then gain full access to the system. IBM X-Force ID: 229507.

IBM Sterling Partner Engagement Manager 2.0 CVE-2022-34334

For example, an attacker who is logged into the system as an administrator could log another administrator out of the system. This action would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on the nature of the data that is stored on the system.

IBM Sterling Partner Engagement Manager 3.0

For example, an attacker who is logged into the system as an administrator could log another administrator out of the system. This action would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on the nature of data that is stored on system.

Due to the lack of session validation in IBM Sterling Partner Engagement Manager 3.0, attackers can change the administrator password via email and change a password of another administrator via web interface, allowing attacker to potentially escalate privileges and/or access critical information on systems. IBM X-Force ID: 229513.

IBM Sterling Partner Engagement Manager 3.1

Two security vulnerabilities have been discovered in IBM Sterling Partner Engagement Manager 3.1, a suite of IBM software products used by service providers to manage their business relationships. These vulnerabilities affect the IBM Sterling Partner Engagement Manager Web Interface and the IBM Sterling Partner Engagement Manager API.

CVE-2022-34334:
This vulnerability is defined as a privilege escalation that could allow an attacker to change the administrator password by email and change the password of another administrator via the web interface.
CVE-2022-34335:
The lack of session validation in this product allows an attacker who is logged into the system as an administrator to log another administrator out of the system which would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on what data is stored on this system.

IBM SDK, QRadar and X-Force ID: 227095

In the case of an application that uses the IBM Sterling Partner Engagement Manager (PEM), an attacker who is logged into the system as a normal user could log another administrator account out of the system. This action would then result in the attacker being able to sign into the system as the administrator. The severity of this issue depends on the nature of the data that is stored on the system.

Due to this misconfiguration, an attacker who knows a normal users email address could impersonate that user via email and then gain full access to the system.

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/12/2022 18:43:00 UTC

References