Security Bulletin
Summary
Multiple vulnerabilities were addressed in IBM Sterling Partner Engagement Manager versions 6.2.3.6 and 6.2.4.3.
Vulnerability Details
CVEID: CVE-2016-1000338
DESCRIPTION: In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE: CWE-347: Improper Verification of Cryptographic Signature
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-1000340
DESCRIPTION: In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
CWE: CWE-19: Data Processing Errors
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-1000342
DESCRIPTION: In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE: CWE-347: Improper Verification of Cryptographic Signature
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-24785
DESCRIPTION: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source: Github
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2025-14811
DESCRIPTION: IBM Sterling Partner Engagement Manager could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
CWE: CWE-598: Use of GET Request Method With Sensitive Query Strings
CVSS Source: IBM
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2025-13723
DESCRIPTION: IBM Sterling Partner Engagement Manager could allow an attacker to obtain sensitive user information using an expired access token
CWE: CWE-324: Use of a Key Past its Expiration Date
CVSS Source: IBM
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2025-53066
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiality impact, no integrity impact, and no availability impact.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: secalert_us@oracle.com
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2025-53057
DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CWE: CWE-284: Improper Access Control
CVSS Source: secalert_us@oracle.com
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-13990
DESCRIPTION: initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CWE: CWE-611: Improper Restriction of XML External Entity Reference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-34169
DESCRIPTION: The Apache Xalan Java XSLT library could allow a remote attacker to execute arbitrary code on the system, caused by an integer truncation issue when processing malicious XSLT stylesheets. By using specially crafted XSLT stylesheets, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-681: Incorrect Conversion between Numeric Types
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-25881
DESCRIPTION: This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-33813
DESCRIPTION: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE: CWE-611: Improper Restriction of XML External Entity Reference
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2015-5922
DESCRIPTION: Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2025-13702
DESCRIPTION: IBM Sterling Partner Engagement Manager is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Source: IBM
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2025-13726
DESCRIPTION: IBM Sterling Partner Engagement Manager could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
CWE: CWE-209: Generation of Error Message Containing Sensitive Information
CVSS Source: IBM
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2025-13718
DESCRIPTION: IBM Sterling Partner Engagement Manager could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE: CWE-319: Cleartext Transmission of Sensitive Information
CVSS Source: IBM
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-46233
DESCRIPTION: crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
CWE: CWE-328: Use of Weak Hash
CVSS Source: IBM X-Force
CVSS Base score: 9.1
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
ID: ADV0244115
DESCRIPTION: Created from Advisory: ADV0244115
CVSS Source: IBM X-Force
CVSS Base score: 6.2
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Sterling Partner Engagement Manager Essentials Edition |
6.2.3.0 – 6.2.3.5 6.2.4.0 – 6.2.4.2 |
| IBM Sterling Partner Engagement Manager Standard Edition |
6.2.3.0 – 6.2.3.5 6.2.4.0 – 6.2.4.2
|
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading,
| Product(s) | Affected Version Range | Remediated Version | Instructions / Download |
|---|---|---|---|
| IBM Sterling Partner Engagement Manager Essentials Edition | 6.2.3.0 – 6.2.3.5 | 6.2.3.6 | Download 6.2.3.6 |
| IBM Sterling Partner Engagement Manager Essentials Edition | 6.2.4.0 – 6.2.4.2 | 6.2.4.3 | Download 6.2.4.3 |
| IBM Sterling Partner Engagement Manager Standard Edition | 6.2.3.0 – 6.2.3.5 | 6.2.3.6 | Download 6.2.3.6 |
| IBM Sterling Partner Engagement Manager Standard Edition | 6.2.4.0 – 6.2.4.2 | 6.2.4.3 | Download 6.2.4.3 |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
12 Mar 2026: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 March 2026
Initial Publish date:
12 March 2026
UID
ibm17263391