Arbitrary file upload in IBM Engineering Lifecycle Optimization

#VU94699 Arbitrary file upload in IBM Engineering Lifecycle Optimization - Publishing

Published: 2024-07-24

Vulnerability identifier: #VU94699

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45188

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Engineering Lifecycle Optimization - Publishing
Other software / Other software solutions

Vendor:

Description

The vulnerability allows a remote user to upload arbitrary files.

The vulnerability exists due to improper validation of file extensions. A remote attacker can send a specially crafted request to upload a malicious file and execute it on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://www.ibm.com/support/pages/node/7156757
http://exchange.xforce.ibmcloud.com/vulnerabilities/268751

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary file upload in IBM Engineering Lifecycle Optimization - Publishing