CVE-2019-4444

CWE-200 — Information Exposure14 documents5 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 72.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM API Connect

Timeline

PublishedDec 16

Latest updateMay 24

Description

IBM API Connect 2018.1 through 2018.4.1.7 Developer Portal's user registration page does not disable password autocomplete. An attacker with access to the browser instance and local system credentials can steal the credentials used for registration. IBM X-Force ID: 163453.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDibm/api_connect2018.1.0 — 2018.4.1.7

▶CVEListV5ibm/api_connect2018.4.1.0, 2018.4.1.7+1

🔴Vulnerability Details

GHSA

GHSA-r9hf-x4r3-rxpr: IBM API Connect 2018↗2022-05-24

▶

CVEList

CVE-2019-4444: IBM API Connect 2018↗2019-12-16

▶

💥Exploits & PoCs

Exploit-DB

SmarterMail Build 6985 - Remote Code Execution↗2020-12-09

▶

Exploit-DB

WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)↗2019-10-31

▶

Exploit-DB

ProShow 9.0.3797 - Local Privilege Escalation↗2019-06-11

▶

Exploit-DB

DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)↗2019-06-04

▶

Exploit-DB

Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution↗2019-05-17

▶