SB2023013040 - Multiple vulnerabilities in IBM Tivoli System Automation Application Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023013040

SB2023013040 - Multiple vulnerabilities in IBM Tivoli System Automation Application Manager

Published: January 30, 2023 Updated: December 29, 2025

Security Bulletin ID SB2023013040
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 25% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Unsafe reflection (CVE-ID: CVE-2014-0114)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Apache Commons BeanUtils does not suppress the class property. A remote unauthenticated attacker can manipulate the ClassLoader and execute arbitrary code via the class parameter


2) Cross-site scripting (CVE-ID: CVE-2012-1007)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in Apache Struts when processing the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to struts-cookbook/processSimple.do or struts-cookbook/processDyna.do. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Cross-site scripting (CVE-ID: CVE-2016-1182)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper input validation (CVE-ID: CVE-2016-1181)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in ActionServlet.java when handling multithreaded access to an ActionForm instance. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References