CVE-2013-0578

Name of the Vulnerable Software and Affected Versions IBM Sterling Multi-Channel Fulfillment Solution version 8.0 before HF128 IBM Sterling Selling and Fulfillment Foundation versions 8.5 before HF93 IBM Sterling Selling and Fulfillment Foundation versions 9.0 before HF73 IBM Sterling Selling and Fulfillment Foundation versions 9.1.0 before FP45 IBM Sterling Selling and Fulfillment Foundation versions 9.2.0 before FP17

Description The issue concerns the Sterling Order Management APIs in IBM Sterling solutions. When the API tester is enabled, it does not require administrative credentials, allowing remote authenticated users to obtain sensitive database information via a request to the API tester URI.

Recommendations For IBM Sterling Multi-Channel Fulfillment Solution version 8.0, apply HF128 or later to resolve the issue. For IBM Sterling Selling and Fulfillment Foundation version 8.5, apply HF93 or later to resolve the issue. For IBM Sterling Selling and Fulfillment Foundation version 9.0, apply HF73 or later to resolve the issue. For IBM Sterling Selling and Fulfillment Foundation version 9.1.0, apply FP45 or later to resolve the issue. For IBM Sterling Selling and Fulfillment Foundation version 9.2.0, apply FP17 or later to resolve the issue. As a temporary workaround, consider disabling the API tester until a patch is available.