Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-3893

CWE-2644 documents4 sources
Severity
7.5HIGH
EPSS
9.0%
top 7.39%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
IBM Omnifind
Timeline
PublishedNov 12
Latest updateMay 14

Description

The administrator interface in IBM OmniFind Enterprise Edition 8.x and 9.x does not restrict use of a session ID (aka SID) value to a single IP address, which allows remote attackers to perform arbitrary administrative actions by leveraging cookie theft, related to a "session impersonation" issue.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

NVDibm/omnifind5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-jx4v-m6x5-3c22: The administrator interface in IBM OmniFind Enterprise Edition 82022-05-14
CVEList
CVE-2010-3893: The administrator interface in IBM OmniFind Enterprise Edition 82010-11-12

💥Exploits & PoCs

1
Exploit-DB
IBM OmniFind - 'command' Cross-Site Scripting2010-11-09
CVE-2010-3893 (HIGH CVSS 7.5) | The administrator interface in IBM | cvebase.io