Back

CVE-2024-37528

July 8, 2024, 3:49 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

IBM Cloud Pak for Business Automation

  • 18.0.0
  • 18.0.1
  • 18.0.2
  • 19.0.1
  • 19.0.2
  • 19.0.3
  • 20.0.1
  • 20.0.2
  • 20.0.3
  • 21.0.1
  • 21.0.2
  • 21.0.3
  • 22.0.1
  • 22.0.2
  • 23.0.1
  • 23.0.2

Source

psirt@us.ibm.com

Tags

CWE-79
psirt@us.ibm.com
2024-07-08
CVE-2024-37528

CVE-2024-37528 details

Published : July 8, 2024, 3:15 a.m.
Last Modified : July 8, 2024, 3:49 p.m.

Description

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 294293.

CVSS Score

1 2 3 4.8 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

4.8

Exploitability Score

1.7

Impact Score

2.7

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

URL Source
https://exchange.xforce.ibmcloud.com/vulnerabilities/294293 psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7159332 psirt@us.ibm.com
This website uses the NVD API, but is not approved or certified by it.