Vulnerability Details : CVE-2018-1774
IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.
Exploit prediction scoring system (EPSS) score for CVE-2018-1774
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 25 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-1774
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
|
8.9
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L |
2.3
|
6.0
|
IBM Corporation |
CWE ids for CVE-2018-1774
-
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1774
-
https://www.ibm.com/support/docview.wss?uid=ibm10737867
IBM Security Bulletin: IBM API Connect is vulnerable to CSV Injection (CVE-2018-1774)Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/148692
IBM API Connect script injection CVE-2018-1774 Vulnerability ReportVDB Entry;Vendor Advisory
Products affected by CVE-2018-1774
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*