CVE-2014-6090

Name of the Vulnerable Software and Affected Versions IBM Curam Social Program Management (SPM) versions 5.2 SP6 through 5.2 SP6 before EP6 IBM Curam Social Program Management (SPM) versions 6.0 SP2 through 6.0 SP2 before EP26 IBM Curam Social Program Management (SPM) versions 6.0.3 through 6.0.3.0 before iFix8 IBM Curam Social Program Management (SPM) versions 6.0.4 through 6.0.4.5 before iFix10 IBM Curam Social Program Management (SPM) versions 6.0.5 through 6.0.5.6

Description The issue affects the DataMappingEditorCommands, DatastoreEditorCommands, and IEGEditorCommands servlets, allowing remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. This is due to multiple cross-site request forgery (CSRF) vulnerabilities.

Recommendations For IBM Curam Social Program Management (SPM) version 5.2 SP6, update to EP6 or later. For IBM Curam Social Program Management (SPM) version 6.0 SP2, update to EP26 or later. For IBM Curam Social Program Management (SPM) version 6.0.3, apply iFix8 or later. For IBM Curam Social Program Management (SPM) version 6.0.4, apply iFix10 or later. For IBM Curam Social Program Management (SPM) version 6.0.5, update to 6.0.5.6 or later.