IBM Financial Transaction Manager Dojo Toolkit and Java Vulnerabilities


Description   Multiple vulnerabilities have been reported in IBM Financial Transaction Manager for Check Services, Corporate Payment Services, and Base, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service).
For more information:
SA61609 (#22)
SA62215 (#13 and #16)
SA62590
SA64105 (#10)
The vulnerabilities are reported in IBM Financial Transaction Manager for Check Services version 2.1.1.8 and IBM Financial Transaction Manager for Corporate Payment Services version 2.1.1.0 running on AIX and Windows.
     
Vulnerable Products   Vulnerable Software:
IBM Financial Transaction Manager 2.xIBM Financial Transaction Manager 3.x
     
Solution   Apply fix.IBM Financial Transaction Manager for Check Services:Apply 2.1.1-FTM-CHECK-MP-fp0009 or later.IBM Financial Transaction Manager for Corporate Payment Services:Apply 2.1.1-FTM-CPS-MP-fp0001 or later.IBM Financial Transaction Manager Base 3.x:Apply 3.0.0-FTM-MP-fp0001.
     
CVE   CVE-2015-0410
CVE-2014-8917
CVE-2014-6593
CVE-2014-6457
     
References   IBM (PI32916
PI32922
PI35273
PI35499
PI41632
PI41633):
http://www.ibm.com/support/docview.wss?uid=swg21696013
http://www.ibm.com/support/docview.wss?uid=swg21695255
http://www.ibm.com/support/docview.wss?uid=swg21697500
http://www.ibm.com/support/docview.wss?uid=swg21696013
http://www.ibm.com/support/docview.wss?uid=swg21903732
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-02-10 

 Target Type 
Server 

 Possible exploit 
Remote