CVE-2023-38722 - Stored Cross-Site Scripting in IBM Sterling Partner Engagement Manager

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in IBM Sterling Partner Engagement Manager
CVE ID: CVE-2023-38722
CVSSv3 Base Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
Vendor: IBM
Products: Sterling Partner Engagement Manager
Advisory Release Date: 23-10-2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2023-38722
Credits: Discovery by Lucas Machado <lucas.machado[at]devoteam.com>

2. Vulnerability Summary

IBM Sterling Partner Engagement Manager is vulnerable to Stored Cross-Site Scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

3. Vulnerable Versions

IBM Sterling Partner Engagement Manager Essentials Edition - 6.1.2, 6.2.0, 6.2.2.
IBM Sterling Partner Engagement Manager Standard Edition - 6.1.2, 6.2.0, 6.2.2.

4. Solution

Fix is available in IBM Sterling Partner Engagement Manager 6.2.2.1.2.

5. Vulnerability Timeline

  • 05/Jul/23 - Bug reported to IBM PSIRT
  • 05/Jul/23 - Bug verified by vendor
  • 23/Oct/23 - Advisory released

6. References

  • https://www.ibm.com/support/pages/node/7057407
  • https://exchange.xforce.ibmcloud.com/vulnerabilities/262174
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38722


© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.