Skip to main content

Robotic Process Automation With Automation Anywhere CVE-2018-1514

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2018-06-07 psirt@us.ibm.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 07, 2018 - 14:29 nvd
HIGH 8.8

DescriptionNVD

IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.

AnalysisAI

IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622. Affected products include: Ibm Robotic Process Automation With Automation Anywhere.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2019-4336 CRITICAL
9.8 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 uses an inadequate account lockout setting that could allow a

CVE-2018-1552 HIGH
8.8 Nov 02

IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code

CVE-2018-1877 HIGH
7.8 Nov 02

IBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unenc

CVE-2018-1547 HIGH
7.7 Jun 07

IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on

CVE-2019-4298 HIGH
7.1 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access

CVE-2018-1795 MEDIUM
6.1 Oct 05

IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to cross-site scripting. Rated mediu

CVE-2019-4299 MEDIUM
5.5 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive informati

CVE-2018-1876 MEDIUM
5.5 Nov 02

IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control

CVE-2017-1751 MEDIUM
5.4 Dec 20

IBM Robotic Process Automation with Automation Anywhere 10.0.0 is vulnerable to cross-site scripting. Rated medium sever

CVE-2019-4297 MEDIUM
5.4 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDA

CVE-2018-1812 MEDIUM
5.4 Oct 05

IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to persistent cross-site scripting,

CVE-2019-4337 MEDIUM
5.3 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker to obtain sensitive information due t

Share

CVE-2018-1514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy