Vulnerability Details : CVE-2018-1774
IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.
Products affected by CVE-2018-1774
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1774
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1774
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
8.9
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L |
2.3
|
6.0
|
IBM Corporation |
CWE ids for CVE-2018-1774
-
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1774
-
https://www.ibm.com/support/docview.wss?uid=ibm10737867
IBM Security Bulletin: IBM API Connect is vulnerable to CSV Injection (CVE-2018-1774)Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/148692
IBM API Connect script injection CVE-2018-1774 Vulnerability ReportVDB Entry;Vendor Advisory
Jump to