October 23, 2023

CVE-2023-38722 - Stored Cross-Site Scripting in IBM Sterling Partner Engagement Manager

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in IBM Sterling Partner Engagement Manager
CVE ID: CVE-2023-38722
CVSSv3 Base Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
Vendor: IBM
Products: Sterling Partner Engagement Manager
Advisory Release Date: 23-10-2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2023-38722
Credits: Discovery by Lucas Machado <lucas.machado[at]devoteam.com>

2. Vulnerability Summary

IBM Sterling Partner Engagement Manager is vulnerable to Stored Cross-Site Scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

3. Vulnerable Versions

IBM Sterling Partner Engagement Manager Essentials Edition - 6.1.2, 6.2.0, 6.2.2.
IBM Sterling Partner Engagement Manager Standard Edition - 6.1.2, 6.2.0, 6.2.2.

4. Solution

Fix is available in IBM Sterling Partner Engagement Manager 6.2.2.1.2.

5. Vulnerability Timeline

05/Jul/23 - Bug reported to IBM PSIRT
05/Jul/23 - Bug verified by vendor
23/Oct/23 - Advisory released

6. References

https://www.ibm.com/support/pages/node/7057407
https://exchange.xforce.ibmcloud.com/vulnerabilities/262174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38722

CVE-2023-26101 - Path Traversal vulnerability in Flowmon Packet Investigator 12.0.1

CVE-2023-26218 - Cross-site Scripting vulnerabilities in TIBCO Nimbus