July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Apache Products Vulnerabilities
July 17, 2024Multiple Google Chrome Vulnerabilities
July 17, 2024Multiple Apache Products Vulnerabilities
July 17, 2024Multiple Google Chrome Vulnerabilities
July 17, 2024
Severity
Medium
Analysis Summary
CVE-2024-39735 CVSS:5.4
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2024-39734 CVSS:4.3
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVE-2024-39733 CVSS:6.2
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 stores user credentials in plain clear text which can be read by a local user.
CVE-2024-39741 CVSS:4.3
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVE-2024-39729 CVSS:4.3
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow an authenticated user to obtain sensitive information from source code that could be used in further attacks against the system.
CVE-2024-39739 CVSS:5.4
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVE-2024-39737 CVSS:4.3
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVE-2024-39728 CVSS:6.4
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Impact
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-39735
- CVE-2024-39734
- CVE-2024-39733
- CVE-2024-39741
- CVE-2024-39729
- CVE-2024-39739
- CVE-2024-39737
- CVE-2024-39728
Affected Vendors
IBM
Affected Products
- IBM Datacap 9.1.8
- IBM Datacap 9.1.9
- IBM Datacap 9.1.5
- IBM Datacap 9.1.6.
Remediation
Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.