FKIE_CVE-2014-3040

Vulnerability from fkie_nvd - Published: 2014-08-26 10:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2; Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4; and Emptoris Spend Analysis 9.5.x before 9.5.0.4, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
References
psirt@us.ibm.comhttp://secunia.com/advisories/60479
psirt@us.ibm.comhttp://secunia.com/advisories/60480
psirt@us.ibm.comhttp://secunia.com/advisories/60481
psirt@us.ibm.comhttp://www-01.ibm.com/support/docview.wss?uid=swg21680370Vendor Advisory
psirt@us.ibm.comhttp://www-01.ibm.com/support/docview.wss?uid=swg21680665Vendor Advisory
psirt@us.ibm.comhttp://www-01.ibm.com/support/docview.wss?uid=swg21681277Vendor Advisory
psirt@us.ibm.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/93306
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/60479
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/60480
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/60481
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21680370Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21680665Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21681277Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/93306
Impacted products
Vendor Product Version
ibm emptoris_spend_analysis 9.5.0.0
ibm emptoris_spend_analysis 9.5.0.1
ibm emptoris_spend_analysis 9.5.0.2
ibm emptoris_spend_analysis 9.5.0.3
ibm emptoris_spend_analysis 10.0.0.0
ibm emptoris_spend_analysis 10.0.0.1
ibm emptoris_spend_analysis 10.0.1.0
ibm emptoris_spend_analysis 10.0.1.1
ibm emptoris_spend_analysis 10.0.1.2
ibm emptoris_spend_analysis 10.0.2.0
ibm emptoris_spend_analysis 10.0.2.2
ibm emptoris_sourcing_portfolio 9.5.0.0
ibm emptoris_sourcing_portfolio 9.5.0.1
ibm emptoris_sourcing_portfolio 9.5.0.2
ibm emptoris_sourcing_portfolio 9.5.1.0
ibm emptoris_sourcing_portfolio 9.5.1.1
ibm emptoris_sourcing_portfolio 9.5.1.2
ibm emptoris_sourcing_portfolio 10.0.0.0
ibm emptoris_sourcing_portfolio 10.0.1.0
ibm emptoris_sourcing_portfolio 10.0.1.1
ibm emptoris_sourcing_portfolio 10.0.1.2
ibm emptoris_sourcing_portfolio 10.0.2.0
ibm emptoris_sourcing_portfolio 10.0.2.2
ibm emptoris_sourcing_portfolio 10.0.2.3
ibm emptoris_contract_management 9.5.0.0
ibm emptoris_contract_management 9.5.0.1
ibm emptoris_contract_management 9.5.0.2
ibm emptoris_contract_management 9.5.0.3
ibm emptoris_contract_management 9.5.0.4
ibm emptoris_contract_management 9.5.0.5
ibm emptoris_contract_management 9.5.0.6
ibm emptoris_contract_management 10.0.0.0
ibm emptoris_contract_management 10.0.0.1
ibm emptoris_contract_management 10.0.1.0
ibm emptoris_contract_management 10.0.1.1
ibm emptoris_contract_management 10.0.1.2
ibm emptoris_contract_management 10.0.1.3
ibm emptoris_contract_management 10.0.1.5
ibm emptoris_contract_management 10.0.2.0
ibm emptoris_contract_management 10.0.2.1
ibm emptoris_contract_management 10.0.2.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:9.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1173E8F6-A85E-452C-9B36-89427D57DDF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:9.5.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD21D4C5-5180-4AE0-A11F-009A6CF1EFA0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:9.5.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EC42DEB-FA8D-42C4-ACDC-0A5036939B2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:9.5.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE122AF0-070A-41EE-980C-C55BF1A7995F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "117DE7FF-B360-4289-A576-5C0868C71ABB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EF90C02-38E5-4994-9360-867121A796C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "501E457B-084A-4E3B-981A-01B19B28B0B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "54F1BCFD-6DCD-4427-AC89-638588878713",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C2FD0BD-DFFF-4512-A290-EACBC82EFB04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "251FE42A-D7C2-415A-8356-F0B1A141147A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_spend_analysis:10.0.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A975908E-A3C9-4F2C-AE37-66F6F54239DA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "516752F7-FBA1-4A6B-9BFB-B266024AEBD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C6D86CF-6DCD-4B23-AA59-77780D9F141E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9AE02CB-CD39-4A88-8F9E-AFCDFBB9025F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9AE268C-C2B0-4FC6-BC81-E1A34F95709E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "81CAB980-749B-4573-8C2E-A3C4E1313CC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "69D4F224-F077-4C59-B76E-76A41F829B74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E67AA9E6-8E05-4EA6-99ED-51C7F5D11501",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E34A7ACD-EF0D-4333-A3A0-8CE4CB132FF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5820700D-1124-4BF3-ABF5-AD6271D2480C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8BC7A60-CF57-48BA-BDAF-C995E1FFF30F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "37DB7389-8FF9-4E94-BD94-9685E6AADAEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "162FE448-69CA-45B7-A902-A5F3A9966D8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6C9636B-D48A-4836-9679-A6E197FB35CB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6F3C251-C3BA-4304-9878-102F3F2FFFCB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "82DA8E24-DDBC-48E0-A2A3-57E06CDCF85C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "70478E47-1C52-45E6-92A9-698CA5C25C3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B85D7E5-9D5B-4B77-A032-3BF92C2EF735",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A85A9BD0-6E1F-4758-AEF3-E10CC4F9FDCF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "479D5852-9127-4AB3-82BB-37A552C14781",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "991D88E6-740E-4F75-B616-5179B015A9D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "88BD708C-D51D-4990-8262-52DB13B7EDC7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "629E78F5-0CEE-4CC2-8C4B-949D15531905",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "808FE7AE-3D37-4646-AE54-6D430122DBCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "892A2283-35E9-4E61-A6D0-B3AF6FE16869",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCDC9134-E550-495D-92E7-81CF72A2CC65",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B5470C2-DEB2-4DB9-9637-908FD1A0AE70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "D089951B-A834-4B94-9979-F9466AA0A106",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6827F5B1-0114-472F-9991-14F8B49D8B94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7BAC0A1-FAE0-49F1-AE13-7022122A8E76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CB8BBCB-22B3-4C96-9DF9-66163EFBA40D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2; Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4; and Emptoris Spend Analysis 9.5.x before 9.5.0.4, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de CSRF en IBM Emptoris Contract Management 9.5.x anterior a 9.5.0.6 iFix 10, 10.0.0.x anterior a 10.0.0.1 iFix 10, 10.0.1.x anterior a 10.0.1.4, y 10.0.2.x anterior a 10.0.2.2 iFix 2; Emptoris Sourcing Portfolio 9.5.x anterior a 9.5.1.3, 10.0.0.x anterior a 10.0.0.1, 10.0.1.x anterior a 10.0.1.3, y 10.0.2.x anterior a 10.0.2.4; y Emptoris Spend Analysis 9.5.x anterior a 9.5.0.4, 10.0.1.x anterior a 10.0.1.3, y 10.0.2.x anterior a 10.0.2.4 permite a usuarios remotos autenticados secuestrar la autenticaci\u00f3n de usuarios arbitrarios para solicitudes que insertan secuencias de XSS."
    }
  ],
  "id": "CVE-2014-3040",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-08-26T10:55:04.183",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "url": "http://secunia.com/advisories/60479"
    },
    {
      "source": "psirt@us.ibm.com",
      "url": "http://secunia.com/advisories/60480"
    },
    {
      "source": "psirt@us.ibm.com",
      "url": "http://secunia.com/advisories/60481"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680370"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680665"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681277"
    },
    {
      "source": "psirt@us.ibm.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93306"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/60479"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/60480"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/60481"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680370"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680665"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681277"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93306"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.