Request a Demo
Rewterz
Multiple Apache Products Vulnerabilities
July 17, 2024
Rewterz
Multiple Google Chrome Vulnerabilities
July 17, 2024

Multiple IBM Datacap Navigator Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-39735 CVSS:5.4

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE-2024-39734 CVSS:4.3

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

CVE-2024-39733 CVSS:6.2

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 stores user credentials in plain clear text which can be read by a local user.

CVE-2024-39741 CVSS:4.3

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

CVE-2024-39729 CVSS:4.3

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow an authenticated user to obtain sensitive information from source code that could be used in further attacks against the system.

CVE-2024-39739 CVSS:5.4

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

CVE-2024-39737 CVSS:4.3

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

CVE-2024-39728 CVSS:6.4

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Impact

  • Cross-Site Scripting
  • Information Disclosure

Indicators of Compromise

CVE

  • CVE-2024-39735
  • CVE-2024-39734
  • CVE-2024-39733
  • CVE-2024-39741
  • CVE-2024-39729
  • CVE-2024-39739
  • CVE-2024-39737
  • CVE-2024-39728

Affected Vendors

IBM

Affected Products

  • IBM Datacap 9.1.8
  • IBM Datacap 9.1.9
  • IBM Datacap 9.1.5
  • IBM Datacap 9.1.6.

Remediation

Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-39735

CVE-2024-39734

CVE-2024-39733

CVE-2024-39741

CVE-2024-39729

CVE-2024-39739

CVE-2024-39737

CVE-2024-39728