SB2024053144 - Multiple vulnerabilities in IBM Call Center for Commerce

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024053144

SB2024053144 - Multiple vulnerabilities in IBM Call Center for Commerce

Published: May 31, 2024

Security Bulletin ID SB2024053144
Severity
Critical
Patch available
YES
Number of vulnerabilities 36
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 3% High 44% Medium 50% Low 3%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 36 secuirty vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2016-4436)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists via vectors related to improper action name clean up.. A remote unauthenticated attacker can trigger the vulnerability and execute arbitrary code on the target system.


2) Cross-site scripting (CVE-ID: CVE-2016-4003)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Input validation error (CVE-ID: CVE-2016-3093)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4310)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0116)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to CookieInterceptor in Apache Struts does not properly restrict access to the getClass method, when a wildcard cookiesName value is used. A remote attacker can "manipulate" the ClassLoader and modify the session state via a crafted request.


6) Security features bypass (CVE-ID: CVE-2010-1870)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to OGNL extensive expression evaluation capability in XWork in Struts uses a permissive whitelist. A remote attacker can bypass security restrictions.


7) Code Injection (CVE-ID: CVE-2020-17530)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Improper Handling of Parameters (CVE-ID: CVE-2016-3082)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of parameters. A remote unauthenticated attacker can trigger vulnerability and execute arbitrary code via the stylesheet location parameter.


9) Input validation error (CVE-ID: CVE-2013-2251)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.


10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-0393)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to parameterInterceptor component in Apache Struts does not prevent access to public constructors. A remote attacker can create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.


11) Remote code execution (CVE-ID: CVE-2017-12611)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to the unsafe use of writable expression values in Freemarker content. A remote attacker can add malicious values to writable expressions that the attacker submits to the affected application for processing and execute arbitrary code in the security context of the affected application.

12) Input validation error (CVE-ID: CVE-2015-5209)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.


13) Code Injection (CVE-ID: CVE-2013-2115)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability occurs when a crafted request is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.


14) Code Injection (CVE-ID: CVE-2013-1966)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.


15) Input validation error (CVE-ID: CVE-2013-2248)

The vulnerability allows a remote attacker to perform redirect attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.


16) Cross-site scripting (CVE-ID: CVE-2015-2992)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


17) Cross-site scripting (CVE-ID: CVE-2015-5169)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


18) Cross-site request forgery (CVE-ID: CVE-2012-4386)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to token check mechanism in Apache Struts does not properly validate the token name configuration parameter. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


19) Code Injection (CVE-ID: CVE-2012-0391)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the ExceptionDelegator component in Apache Struts when interpreting parameter values as OGNL expressions during certain exception handling for mismatched data types of properties. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


20) Code Injection (CVE-ID: CVE-2012-0392)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper access restrictions within the CookieInterceptor component in Apache Struts. A remote attacker can send a specially crafted HTTP Cookie header that triggers Java code execution through a static method and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


21) Cross-site scripting (CVE-ID: CVE-2011-1772)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


22) Input validation error (CVE-ID: CVE-2012-0838)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Struts evaluates a string as an OGNL expression during the handling of a conversion error. A remote attacker can pass specially crafted input to the application to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.


23) Cross-site request forgery (CVE-ID: CVE-2014-7809)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


24) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-5057)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to Apache Struts provides interfaces that do not properly restrict access to collections such as the session and request collections. A remote attacker can modify run-time data values via a crafted parameter to an application that implements an affected interface.


25) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4387)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.


26) Cross-site scripting (CVE-ID: CVE-2012-1006)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


27) Security bypass (CVE-ID: CVE-2014-0094)

The vulnerability allows a remote attacker to bypass security restsrictions on the target system.

The weakness exists due to an error in ParametersInterceptor. A remote attacker can use a specially crafted class parameter to manipulate the ClassLoader used by the application server.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

28) Configuration (CVE-ID: CVE-2013-4316)

The issue may allow a remote attacker to bypass implemented security restrictions.

The issue exists due to Apache Struts enables Dynamic Method Invocation by default. A remote attacker can trigger the vulnerability to bypass implemented security restrictions.


29) Improper access control (CVE-ID: CVE-2019-0233)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework. When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail.


30) Improper Handling of Parameters (CVE-ID: CVE-2013-1965)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of parameters. A remote unauthenticated attacker can trigger vulnerability and execute arbitrary OGNL code via a crafted parameter name.


31) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0112)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper access restrictions within the getClass method in ParametersInterceptor. A remote non-authenticated attacker can manipulate the ClassLoader via a specially crafted request and execute arbitrary code on the system.

Note, the vulnerability exists due to incomplete fix for #VU5234 (CVE-2014-0094).


32) Code Injection (CVE-ID: CVE-2013-2134)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching


33) Command Injection (CVE-ID: CVE-2016-3081)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient filtration of user-supplied data, when Dynamic Method Invocation is enabled. A remote attacker can pass arbitrary commands via the method: prefix and execute them on the server.


34) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0113)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to CookieInterceptor in Apache Struts does not properly restrict access to the getClass method, when a wildcard cookiesName value is used. A remote attacker can "manipulate" the ClassLoader and execute arbitrary code via a crafted request.


35) Code Injection (CVE-ID: CVE-2013-2135)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.


36) Code Injection (CVE-ID: CVE-2019-0230)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).

The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.

Example:

<s:url var="url" namespace="/employee" action="list"/><s:a id="%{skillName}" href="%{url}">List available Employees</s:a>

If an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References