CVE-2014-4790 — Improper Authentication in IBM Emptoris Sourcing Portfolio

CWE-264 CWE-287 — Improper Authentication5 documents5 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 57.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Emptoris Sourcing Portfolio IBM Emptoris Spend Analysis

Timeline

PublishedAug 26

Latest updateMay 17

Description

IBM Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 and Emptoris Spend Analysis 9.5.x before 9.5.0.4, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 do not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a "frame injection" issue.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages2 packages

▶NVDibm/emptoris_spend_analysis9 versions+8

▶NVDibm/emptoris_sourcing_portfolio13 versions+12

Patches

Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-gpqp-wqv8-8mph: IBM Emptoris Sourcing Portfolio 9↗2022-05-17

▶

CVEList

CVE-2014-4790: IBM Emptoris Sourcing Portfolio 9↗2014-08-26

▶

📋Vendor Advisories

Red Hat

strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c↗2018-09-24

▶

💬Community

Bugzilla

CVE-2018-16152 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c↗2018-10-03

▶