Thursday, 29 June 2017

On 01:26 by admin in    No comments
A vulnerability has been found in IBM WebSphere Portal 8.5/9.0 and classified as problematic. Affected by this vulnerability is an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was released 06/28/2017 as swg22004348 as confirmed security bulletin (Website). The advisory is shared for download at www-01.ibm.com. This vulnerability is known as CVE-2017-1217. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/29/2017).

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1038797).

CVSSv3

VulDB Base Score5.3
VulDB Temp Score5.1
VulDB VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
VulDB Reliability: High

Vendor Base Score (IBM): 6.1
Vendor Vector (IBM)CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X

CVSSv2

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete
VulDB Base Score4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
VulDB Temp Score3.7 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High


CPE

  • cpe:/a:ibm:websphere_portal:8.5
  • cpe:/a:ibm:websphere_portal:9.0

Exploiting

Class: Cross site scripting (CWE-80)
Local: No
Remote: Yes

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k

Countermeasures


Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Timeline

06/28/2017   Advisory disclosed
06/28/2017  +0 days Countermeasure disclosed
06/28/2017  +0 days SecurityTracker entry created
06/29/2017  +1 days VulDB entry created
06/29/2017  +0 days VulDB last update

Sources

Advisoryswg22004348
Status: Confirmed

CVE: CVE-2017-1217 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment