Rewterz Threat Advisory – Multiple RCE Flaws in Cisco Security Manager
November 17, 2020Rewterz Threat Advisory – CVE-2020-13954 – Apache CXF Cross-site Scripting Vulnerability
November 17, 2020Rewterz Threat Advisory – Multiple RCE Flaws in Cisco Security Manager
November 17, 2020Rewterz Threat Advisory – CVE-2020-13954 – Apache CXF Cross-site Scripting Vulnerability
November 17, 2020Severity
Medium
Analysis Summary
IBM Sterling File Gateway does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Impact
Information disclosure
Affected Vendors
IBM
Affected Products
- IBM Sterling File Gateway 2.2.0.0
- IBM Sterling File Gateway 6.0.3.2
- IBM Sterling File Gateway 2.2.6.5
- IBM Sterling File Gateway 6.0.0.0
Remediation
Refer to IBM Security Bulletin 6368025 for patch, upgrade or suggested workaround information.