Rewterz

Rewterz Threat Advisory – Multiple Apache Superset Template And Explore Vulnerabilities

October 18, 2021
Rewterz

Rewterz Threat Advisory – Multiple Apache Vulnerabilities

October 18, 2021

Rewterz Threat Advisory – Multiple IBM Business Automation And Security Risk Manager Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-29878 

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE-2021-38911 

IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by an authenticated privileged user.

CVE-2021-29912 

IBM Security Risk Manager on CP4S 1.7.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Impact

  • Cross-Site Scripting
  • Information Disclosure

Affected Vendors

  • IBM

Affected Products

  • IBM Business Automation Workflow 18.0.0.0
  • IBM Business Automation Workflow 18.0.0.1
  • IBM Business Automation Workflow 18.0.0.2
  • IBM Business Automation Workflow 19.0.0.1
  • IBM Business Automation Workflow 19.0.0.2
  • IBM Business Automation Workflow 19.0.0.3
  • IBM Business Automation Workflow 20.0.0.1
  • IBM Business Automation Workflow 20.0.0.2
  • IBM Business Automation Workflow 21.0.2
  • IBM Cloud Pak for Security 1.7.2.0
  • IBM Cloud Pak for Security 1.7.0.0

Remediation

Refer to IBM Security Bulletin for patch, upgrade, or suggested workaround information.

CVE-2021-29878

https://www.ibm.com/support/pages/node/6501949

CVE-2021-38911

https://www.ibm.com/support/pages/node/6505281

CVE-2021-29912

https://www.ibm.com/support/pages/node/6505283

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.