Vulnerability CVE-2015-7452

Vulnerability Name:

CVE-2015-7452 (CCN-108220)

Assigned:

2015-12-11

Published:

2015-12-11

Updated:

2016-01-06

Summary:

IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6.0.3 FP3 and Maximo Asset Management 7.5 before 7.5.0.9 FP9, 7.5.1, and 7.6 before 7.6.0.3 FP3 for SmartCloud Control Desk allow remote authenticated users to obtain sensitive information via the REST API.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2015-7452

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21972463

Source: CCN
Type: IBM Security Bulletin 1972463 (Maximo Asset Management)
A security vulnerability has been identified in IBM Maximo Asset Management which could allow an attacker to obtain sensitive information via REST API (CVE-2015-7452)

Source: XF
Type: UNKNOWN
ibm-maximo-cve20157452-info-disc(108220)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_government:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_nuclear_power:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_oil_and_gas:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_transportation:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_utilities:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2015-7452 (CCN-112570)

Assigned:

2013-07-05

Published:

2013-07-05

Updated:

2016-01-06

Summary:

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Attack Complexity (AC): Privileges Required (PR): User Interaction (UI):
Scope:	Scope (S):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.5 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2015-7452

Source: CCN
Type: Node.js Web site
Node.js

Source: CCN
Type: oss-sec Mailing List, Wed, 20 Apr 2016 17:16:24 -0400 (EDT)
various vulnerabilities in Node.js packages

Source: XF
Type: UNKNOWN
nodejs-cve20157452-filter-bypass(112570)

Source: CCN
Type: Node Security Web site
Multiple XSS Filter Bypasses

BACK