CVE-2023-28952 — Improper Output Neutralization for Logs in IBM Cognos Controller

CWE-117 — Improper Output Neutralization for Logs CWE-116 — Improper Encoding or Escaping of Output3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 78.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cognos Controller

Timeline

PublishedMay 3

Description

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/cognos_controller10.4.1, 10.4.2, 11.0.0

▶NVDibm/cognos_controller10.4.1, 10.4.2, 11.0.0+2

🔴Vulnerability Details

GHSA

GHSA-mcp9-hfjj-cpp5: IBM Cognos Controller 10↗2024-05-03

▶

CVEList

IBM Cognos Controller log injection↗2024-05-03

▶