CVE-2017-1758
Description
IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Financial Transaction Manager, Control Center, and Transformation Extender Advanced are vulnerable to XXE injection, allowing information disclosure or denial of service.
Vulnerability
The XML External Entity Injection (XXE) vulnerability exists in multiple IBM products when processing XML data. Affected versions: IBM Financial Transaction Manager (FTM) for ACH Services 3.0.2, 3.0.3, 3.0.4, 3.1.0; FTM for Corporate Payment Services 3.0.2; IBM Control Center 6.0.0.0-6.0.0.2, 6.1.0.0-6.1.0.2 iFix01, 6.1.1.0; and IBM Transformation Extender Advanced 9.0 [1][2][3]. The vulnerability resides in the XML parser used by web services, which processes user-supplied XML without disabling external entity resolution.
Exploitation
An authenticated attacker with low privileges can send a crafted XML request to an affected web service. By including an external entity reference, the XML parser retrieves the specified resource, which can be a local file or an external server, leading to information disclosure or excessive resource consumption [1][2][3]. No user interaction is required beyond the attacker's own authentication.
Impact
Successful exploitation allows an attacker to read arbitrary files on the server (high confidentiality impact) and potentially cause denial of service through memory exhaustion (low availability impact). Integrity is not affected. The CVSS v3.0 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) [1][2][3].
Mitigation
IBM has released fixes: For IBM Transformation Extender Advanced 9.0, upgrade to version 9.0.0.8 [2]. For IBM Control Center, fixes are available in later releases (e.g., 6.0.0.3, 6.1.0.3, 6.1.1.1) [3]. For FTM products, refer to IBM support for the latest fixes. No workarounds are provided [1][2][3].
- Security Bulletin: Financial Transaction Manager for ACH Services and Corporate Payment Services has a potential XML External Entity vulnerability (CVE-2017-1758)
- Security Bulletin: IBM Transformation Extender Advanced is Potentially Vulnerable to an XML External Entity (XXE) Injection in its REST API.
- Security Bulletin: 10x Vulnerability in IBM Control Center Could Allow Potential XML External Entity (XXE) Injection
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: 6.0
- Range: 3.0.2
- Range: 9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/103130mitrevdb-entryx_refsource_BID
- exchange.xforce.ibmcloud.com/vulnerabilities/135859mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.