Two Critical Vulnerabilities in IBM products (CVE-2016-1000027, CVE-2024-47875)

Imechapishwa: Nov 22, 2024 18:14

Advisory No: TZCERT-SA-24-0047

Source: IBM

Software Affected: pivotal-spring, DOMPurify

Overview

Multiple IBM products are vulnerable to critical vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code.

Description

IBM products depending on pivotal-spring and DOMPurify are affected by critical vulnerabilities tracked as CVE-2016-1000027 and CVE-2024-47875 with CVSS base scores of 9.8 and 10 respectively. The vulnerabilities result from an unsafe deserialization flaw in the library and nesting-based mXSS. The attacker can exploit these vulnerabilities by sending a specially crafted request to execute arbitrary code on the affected system.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio