IBM Rational Software Architect Design Manager / Engineering Lifecycle Manager / Rhapsody Design Manager < 4.0.7 XSRF

medium Nessus Plugin ID 79384

Synopsis

The remote host is affected by a cross-site request forgery vulnerability.

Description

According to its self reported version, the install of Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager, and/or Rhapsody Design Manager on the remote host is affected by a cross-site request forgery in the IBM Configuration Management Application (VVC) component due to improper validation of user-supplied data. An attacker can exploit this vulnerability by convincing an authenticated user to visit a malicious website and hijacking the authentication via a malformed HTTP request, allowing the attacker to perform cross-site scripting attacks, web cache poisoning, and other malicious activities.

Solution

Upgrade to IBM Rational Software Architect Design Manager / Engineering Lifecycle Manager / Rhapsody Design Manager version 4.0.7, 5.0.1, or later.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg21682120

Plugin Details

Severity: Medium

ID: 79384

File Name: ibm_rational_swg21682120.nasl

Version: 1.3

Type: local

Family: Misc.

Published: 11/21/2014

Updated: 7/12/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:ibm:rational_software_architect_design_manager, cpe:/a:ibm:rational_rhapsody_design_manager, cpe:/a:ibm:rational_engineering_lifecycle_manager

Exploit Ease: No known exploits are available

Patch Publication Date: 9/5/2014

Vulnerability Publication Date: 9/5/2014

Reference Information

CVE: CVE-2014-3037

BID: 69658