Multiple IBM Emptoris Products Cross Site Request Forgery Vulnerabilities
23 Jan. 2015
Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contract Management 9.5.x before 126.96.36.199 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2; Emptoris Sourcing Portfolio 9.5.x before 188.8.131.52, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4; and Emptoris Spend Analysis 9.5.x before 184.108.40.206, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
* IBM Emptoris Contract Management before 10.0.2.2 iFix 2
* Emptoris Sourcing Portfolio before 10.0.2.4
* Emptoris Spend Analysis before 10.0.2.4
* IBM Emptoris Contract Management after 10.0.2.2 iFix 2
* Emptoris Sourcing Portfolio after 10.0.2.4
* Emptoris Spend Analysis after 10.0.2.4
Multiple IBM Emptoris Products are prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.