CVE-2018-1871

Vulnerability

IBM Financial Transaction Manager for Digital Payments for Multi-Platform versions 3.0.0.0 through 3.0.0.15, 3.0.2.0 through 3.0.2.1, and 3.0.5.0 through 3.0.5.1 contain a stored cross-site scripting (XSS) vulnerability. The flaw exists in the Web UI, where user-supplied input is not properly sanitized before being stored and later rendered in the context of an authenticated session [1]. This allows users with low-privileged access to embed arbitrary JavaScript code into pages viewed by other users.

Exploitation

An attacker with a low-privileged account on the affected system can inject malicious script code through input fields in the Web UI. The injected script is stored on the server and executed automatically when a higher-privileged user (or any user) views the affected page. No special network position or additional user interaction beyond normal page viewing is required, though the attacker must have a valid authenticated session to perform the injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can alter intended UI functionality and lead to disclosure of sensitive credentials within the trusted session, potentially enabling account takeover or unauthorized transactions [1]. The CVSS v3.0 base score is 5.4 (medium), with the scope changed and partial loss of confidentiality and integrity [1].

Mitigation

IBM has released fixes as detailed in security bulletin 10743123 [1]. Affected installations should upgrade to the latest patched versions for FTM CHK v3.0.0, v3.0.2, and v3.0.5. No workarounds are provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.