Sign-up

ID

VAR-201812-0384


CVE

CVE-2018-1661


TITLE

IBM DataPower Gateway Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-012921

DESCRIPTION

IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 144887. IBM DataPower Gateway Contains a cross-site scripting vulnerability. Vendors have confirmed this vulnerability IBM X-Force ID: 144887 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. The following versions of product are vilnerable: IBM DataPower Gateway 7.6.0.0 through 7.6.0.9 IBM DataPower Gateway 7.5.2.0 through 7.5.2.16 IBM DataPower Gateway 7.5.1.0 through 7.5.1.16 IBM DataPower Gateway 7.5.0.0 through 7.5.0.17. IBM DataPower Gateway is the United States IBM The company's set of dedicated to mobile, cloud, application programming interface ( API ), network, service-oriented architecture ( SOA ), B2B A secure and integrated platform designed for cloud and cloud workloads. The platform secures, integrates and optimizes access across channels with a dedicated gateway platform. The following versions are affected: IBM DataPower Gateways 7.6.0.0 version to 7.6.0.9 Version, 7.5.2.0 version to 7.5.2.16 Version, 7.5.1.0 version to 7.5.1.16 Version, 7.5.0.0 version to 7.5.0.17 Version

Trust: 1.98

sources: NVD: CVE-2018-1661 // JVNDB: JVNDB-2018-012921 // BID: 106329 // VULHUB: VHN-126986

AFFECTED PRODUCTS

vendor:ibmmodel:datapower gatewayscope:lteversion:7.6.0.9

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.0.17

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.2.16

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.6.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.2.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.1.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.1.16

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.2

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.6

Trust: 0.8

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.6.0.8

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.6.0.6

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.6.0.5

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.6.0.1

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.6.0.0

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.9

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.8

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.2

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.15

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.13

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.12

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.1

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.2.0

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.9

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.8

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.4

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.3

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.2

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.15

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.14

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.13

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.12

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.1

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.1.0

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.9

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.5

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.4

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.3

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.2

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.16

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.15

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.14

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.13

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.10

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.1

Trust: 0.3

vendor:ibmmodel:datapower gatewaysscope:eqversion:7.5.0.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:neversion:7.6.0.10

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:neversion:7.5.2.17

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:neversion:7.5.1.17

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:neversion:7.5.0.18

Trust: 0.3

sources: BID: 106329 // JVNDB: JVNDB-2018-012921 // NVD: CVE-2018-1661

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1661
value: HIGH

Trust: 1.0

psirt@us.ibm.com: CVE-2018-1661
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-1661
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-816
value: HIGH

Trust: 0.6

VULHUB: VHN-126986
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-1661
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-126986
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-1661
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

psirt@us.ibm.com: CVE-2018-1661
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-126986 // JVNDB: JVNDB-2018-012921 // CNNVD: CNNVD-201812-816 // NVD: CVE-2018-1661 // NVD: CVE-2018-1661

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-126986 // JVNDB: JVNDB-2018-012921 // NVD: CVE-2018-1661

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-816

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201812-816

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012921

PATCH
title:0744189url:https://www.ibm.com/support/docview.wss?uid=ibm10744189
Trust: 0.8
title:ibm-websphere-cve20181661-csrf (144887)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/144887
Trust: 0.8
title:IBM DataPower Gateway Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88012
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-012921 // 
            
            
            
            CNNVD: CNNVD-201812-816

EXTERNAL IDS
db:NVDid:CVE-2018-1661
Trust: 2.8
db:BIDid:106329
Trust: 2.0
db:JVNDBid:JVNDB-2018-012921
Trust: 0.8
db:CNNVDid:CNNVD-201812-816
Trust: 0.7
db:AUSCERTid:ESB-2019.0545
Trust: 0.6
db:VULHUBid:VHN-126986
Trust: 0.1
sources:
            
            
            VULHUB: VHN-126986 // 
            
            
            
            BID: 106329 // 
            
            
            
            JVNDB: JVNDB-2018-012921 // 
            
            
            
            CNNVD: CNNVD-201812-816 // 
            
            
            
            NVD: CVE-2018-1661

REFERENCES
url:http://www.securityfocus.com/bid/106329
Trust: 1.7
url:https://www.ibm.com/support/docview.wss?uid=ibm10744189
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/144887
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1661
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-1661
Trust: 0.8
url:http://www.ibm.com/support/docview.wss
Trust: 0.6
url:http://www.ibm.com/support/docview.wss?uid=ibm10739235
Trust: 0.6
url:https://www.auscert.org.au/bulletins/75930
Trust: 0.6
url:https://www.ibm.com
Trust: 0.3
url:https://www.ibm.com/in-en/products/datapower-gateway/details
Trust: 0.3
url:https://www-01.ibm.com/support/docview.wss?uid=ibm10744189
Trust: 0.3
sources:
            
            
            VULHUB: VHN-126986 // 
            
            
            
            BID: 106329 // 
            
            
            
            JVNDB: JVNDB-2018-012921 // 
            
            
            
            CNNVD: CNNVD-201812-816 // 
            
            
            
            NVD: CVE-2018-1661

CREDITS
Srinivasarao Kotipalli and Jeremy Soh.
Trust: 0.3
sources:
            
            
            BID: 106329

SOURCES
db:VULHUBid:VHN-126986
db:BIDid:106329
db:JVNDBid:JVNDB-2018-012921
db:CNNVDid:CNNVD-201812-816
db:NVDid:CVE-2018-1661

LAST UPDATE DATE
2024-11-23T21:14:56.176000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-126986date:2019-10-09T00:00:00
db:BIDid:106329date:2018-12-12T00:00:00
db:JVNDBid:JVNDB-2018-012921date:2019-02-12T00:00:00
db:CNNVDid:CNNVD-201812-816date:2019-10-17T00:00:00
db:NVDid:CVE-2018-1661date:2024-11-21T04:00:09.613

SOURCES RELEASE DATE
db:VULHUBid:VHN-126986date:2018-12-20T00:00:00
db:BIDid:106329date:2018-12-12T00:00:00
db:JVNDBid:JVNDB-2018-012921date:2019-02-12T00:00:00
db:CNNVDid:CNNVD-201812-816date:2018-12-20T00:00:00
db:NVDid:CVE-2018-1661date:2018-12-20T14:29:00.230