[VIM] IBM Financial Transaction Manager Vulnerabilities

Scott Moore stmoore at us.ibm.com
Wed Feb 5 09:18:43 CST 2014


Hello VIM colleagues.

In mid December there was a confusing changelog issued by the IBM Financial
Transaction Manager team that listed several vulnerabilities.  These were
picked up by several vulnerability databases.

We have worked with the product team and the PSIRT team to consolidate some
issues, and eliminate others that were not actual vulnerabilities.

The actual vulnerabilities are as follows:

CVE-2014-0830: FTM 2.0 and 2.1 Table export function exposes a path
traversal vulnerability

CVE-2014-0831: FTM 2.0 OAC is not protected from cross site request forgery
vulnerabilities.

CVE-2014-0832: FTM 2.0 Configuration details screens are exposed to cross
site scripting vulnerabilities.

CVE-2014-0833: FTM 2.0 OAC could accept a request to execute a resolution
action where the user is not authorized.

FTM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21662714


Thanks.

-----
Scott Moore
Vulnerability Database - Team Lead
X-Force Research and Development
IBM Security Systems
Office: 404-348-9288
Cell: 404-643-1260
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20140205/5ed6954b/attachment.html>


More information about the VIM mailing list