PT-2014-2731 · Ibm · Maximo Service Desk+5

Published

2014-05-26

Updated

2017-08-29

CVE-2013-4016

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions IBM Maximo Asset Management versions 7.1.1 before 7.1.1.7 LAFIX.20140319-0837 IBM Maximo Asset Management versions 7.1.1.11 before IFIX.20140323-0749 IBM Maximo Asset Management versions 7.1.1.12 before IFIX.20140321-1336 IBM Maximo Asset Management versions 7.5.x before 7.5.0.3 IFIX027 IBM Maximo Asset Management versions 7.5.0.4 before IFIX011 IBM Maximo Asset Management versions 7.5.0.5 before IFIX006 SmartCloud Control Desk versions 7.x before 7.5.0.3 SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2 Tivoli IT Asset Management for IT versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Tivoli IT Asset Management for IT versions 7.1.1.11 before IFIX.20140207-1801 Tivoli IT Asset Management for IT versions 7.1.1.12 before IFIX.20140218-1510 Tivoli Service Request Manager versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Tivoli Service Request Manager versions 7.1.1.11 before IFIX.20140207-1801 Tivoli Service Request Manager versions 7.1.1.12 before IFIX.20140218-1510 Maximo Service Desk versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Maximo Service Desk versions 7.1.1.11 before IFIX.20140207-1801 Maximo Service Desk versions 7.1.1.12 before IFIX.20140218-1510 Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Change and Configuration Management Database (CCMDB) versions 7.1.1.11 before IFIX.20140207-1801 Change and Configuration Management Database (CCMDB) versions 7.1.1.12 before IFIX.20140218-1510

Description The issue allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text.

Recommendations For IBM Maximo Asset Management versions 7.1.1 before 7.1.1.7 LAFIX.20140319-0837, update to version 7.1.1.7 LAFIX.20140319-0837 or later. For IBM Maximo Asset Management versions 7.1.1.11 before IFIX.20140323-0749, update to version 7.1.1.11 IFIX.20140323-0749 or later. For IBM Maximo Asset Management versions 7.1.1.12 before IFIX.20140321-1336, update to version 7.1.1.12 IFIX.20140321-1336 or later. For IBM Maximo Asset Management versions 7.5.x before 7.5.0.3 IFIX027, update to version 7.5.0.3 IFIX027 or later. For IBM Maximo Asset Management versions 7.5.0.4 before IFIX011, update to version 7.5.0.4 IFIX011 or later. For IBM Maximo Asset Management versions 7.5.0.5 before IFIX006, update to version 7.5.0.5 IFIX006 or later. For SmartCloud Control Desk versions 7.x before 7.5.0.3, update to version 7.5.0.3 or later. For SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2, update to version 7.5.1.2 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.7 LAFIX.20140319-0837, update to version 7.1.1.7 LAFIX.20140319-0837 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.1.1.11 before IFIX.20140207-1801, update to version 7.1.1.11 IFIX.20140207-1801 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.1.1.12 before IFIX.20140218-1510, update to version 7.1.1.12 IFIX.20140218-1510 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2013-4016

Affected Products

Change/Configuration Management Database

Ibm Maximo Asset Management

Maximo Service Desk

Smartcloud Control Desk

Tivoli Asset Management For It

Tivoli Service Request Manager

PT-2014-2731 · Ibm · Maximo Service Desk+5

CVE-2013-4016

Weakness Enumeration

Related Identifiers

Affected Products

References · 4