{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-21T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix10, and 6.0.5 before 6.0.5.6 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-27T01:57:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697726"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2014-6090", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix10, and 6.0.5 before 6.0.5.6 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21697726", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697726"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2014-6090", "datePublished": "2015-04-27T01:00:00", "dateReserved": "2014-09-02T00:00:00", "dateUpdated": "2015-04-27T01:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:curam_social_program_management:5.2:sp6:*:*:*:*:*:*", "matchCriteriaId": "E1BC058F-27F6-4C3E-ACC7-85FBB22055DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "5C54B484-6735-460B-B8CD-CEC0A95E9E8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "8540059F-8E22-4684-B161-B3EC5996286E", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "AEFDBB0F-A8C9-40DF-81CF-799D034D2EE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "17929DC8-0E48-4BF4-AAFE-6463C8540FF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix10, and 6.0.5 before 6.0.5.6 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en los servlets (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, y (3) IEGEditorCommands en IBM Curam Social Program Management (SPM) 5.2 SP6 anterior a EP6, 6.0 SP2 anterior a EP26, 6.0.3 anterior a 6.0.3.0 iFix8, 6.0.4 anterior a 6.0.4.5 iFix10, y 6.0.5 anterior a 6.0.5.6 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios para solicitudes que insertan secuencias de XSS."}], "id": "CVE-2014-6090", "lastModified": "2015-04-27T17:00:12.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-04-27T11:59:00.807", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697726"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}