Medium Severity

IBM Security Bulletin: IBM Cúram Social Program Management contains a cross-site request forgery vulnerability in the REST API (CVE-2018-2001)

Share this post:

A recent product security scanning exercise identified that a cross-site request forgery vulnerability exists within REST in IBM Cúram Social Program Management. The issue relates to the checking of the HTTP referrer header for GET requests on the server side, which should be checked in a similar way to all other requests. Note: If you are using the REST API, you are vulnerable to cross-site request forgery.

CVE(s): CVE-2018-2001

Affected product(s) and affected version(s):
IBM Cúram Social Program Management 7.0.5.0 – 7.0.5.0 IBM Cúram Social Program Management 7.0.0.0 – 7.0.4.0
IBM Cúram Social Program Management 6.2.0.0 – 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 – 6.1.1.6
Note: The REST API was not present in version 6.0.5 and earlier versions, so these versions are not vulnerable.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10883184
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/154891

More stories

IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Manager IP Edition (CVE-2018-1890, CVE-2019-2426)

Jul 18, 2019 9:01 am EDT | Medium Severity

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Manager IP Edition v4.1.1 and v4.2, which were disclosed in the Oracle January 2019 Critical Patch Update. CVE(s): CVE-2018-1890, CVE-2019-2426 Affected product(s) and affected version(s): IBM Tivoli Network Manager IP Edition v4.1.1, v4.2 Refer to the ...read more


IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2019-4046)

Jul 18, 2019 9:01 am EDT | Medium Severity

There is a vulnerability in IBM WebSphere Application Server, used by IBM Spectrum Scale. This issue allows a remote attacker to cause a denial of service condition. CVE(s): CVE-2019-4046 Affected product(s) and affected version(s):The Elastic Storage Server 5.3.0 thru 5.3.3 The Elastic Storage Server 5.0.0 thru 5.2.6 The Elastic Storage Server 4.5.0 thru 4.6.0 The ...read more


IBM Security Bulletin: An IBM QRadar SIEM protocol is vulnerable to Incorrect Permission Assignment (CVE-2018-2024)

Jul 18, 2019 9:01 am EDT | Medium Severity

The Log file protocol could allow permissions to a resource to be read or modified by unintended actors. CVE(s): CVE-2018-2024 Affected product(s) and affected version(s):7.2.0-QRADAR-PROTOCOL-LogFileProtocol-7.2-20180625094737 and prior 7.3.0-QRADAR-PROTOCOL-LogFileProtocol-7.3-20180625134822 and prior Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10958889X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/155350 ...read more