PT-2022-15388 · Ibm · Ibm Sterling Partner Engagement Manager Cloud/Sass+1
Published
2022-07-19
·
Updated
2022-07-27
·
CVE-2022-22358
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
IBM Sterling Partner Engagement Manager versions 6.1.2 through 6.2
IBM Sterling Partner Engagement Manager Cloud/SasS version 22.2
Description
The issue allows a remote attacker to exploit an XML External Entity Injection (XXE) attack when processing XML data, potentially exposing sensitive information or consuming memory resources.
Recommendations
For IBM Sterling Partner Engagement Manager versions 6.1.2 through 6.2, consider disabling XML processing until a patch is available.
For IBM Sterling Partner Engagement Manager Cloud/SasS version 22.2, restrict access to XML data processing to minimize the risk of exploitation.
As a temporary workaround, consider avoiding the use of
XML data in the affected system until the issue is resolved.Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Sterling Partner Engagement Manager
Ibm Sterling Partner Engagement Manager Cloud/Sass