CVE-2019-4613

Vulnerability

IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery (XSRF) in the Planning Analytics Workspace component. An attacker can trick an authenticated user into executing malicious actions transmitted from a user that the website trusts. The affected version is IBM Planning Analytics 2.0 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or script that, when clicked by an authenticated user, sends unauthorized requests to the Planning Analytics Workspace server. The attacker does not require authentication but relies on the victim's active session. No special network position is needed beyond the ability to deliver the malicious payload to the user [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions on behalf of the authenticated user, such as modifying settings or executing operations with the user's privileges. The CVSS score indicates a low integrity impact with no confidentiality or availability impact (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) [1].

Mitigation

The vulnerability is fixed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 48. Users should upgrade to this version. No workarounds are provided [1]. The CVE is not listed in the Known Exploited Vulnerabilities Catalog (KEV).