CVE-2018-1790

Vulnerability

IBM Financial Transaction Manager for Corporate Payment Services (FTM CPS) for Multi-Platform versions 3.0.2.0 through 3.0.2.1 and 3.2.1.0 are vulnerable to cross-site request forgery (CSRF). This vulnerability allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious request and tricking an authenticated user into clicking a link or visiting a specially crafted web page. No authentication is required for the attacker, but user interaction is necessary [1].

Impact

Successful exploitation enables the attacker to perform unauthorized actions on behalf of the victim user, such as modifying settings or initiating transactions. The CVSS v3.0 base score is 4.3, with a vector of (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating low integrity impact and no confidentiality or availability impact [1].

Mitigation

No workarounds or mitigations are provided in the available reference. The vendor has not disclosed a fixed version in the bulletin; however, the bulletin was updated on 09 August 2019 to include version 3.2.1.0 as affected, suggesting that a fix may be available in a later release. Users should monitor for security updates from IBM [1].