CVE-2020-4648

Vulnerability

CVE-2020-4648 describes a vulnerability in IBM Planning Analytics 2.0, specifically in the Planning Analytics Workspace component, where avatars can be modified by users without proper authorization [1]. The affected version is IBM Planning Analytics Local v2.0 before Planning Analytics Workspace Release 55 [1].

Exploitation

An authenticated attacker with access to the workspace can modify the avatars of other users without needing any special privileges beyond standard user access [1]. The attack vector is network-based, requires low complexity, and no user interaction is needed beyond the attacker's own actions [1].

Impact

Successful exploitation allows the attacker to change the avatar images of other users, impacting the integrity of user profile data [1]. This could be used for impersonation or to cause confusion among users, but does not directly lead to information disclosure or system compromise. The CVSS score is 6.5 (medium), with the impact being high for integrity and none for confidentiality or availability [1].

Mitigation

IBM has released a fix as part of IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 55 [1]. Organizations should upgrade to this version or later. No workaround is mentioned in the available references. This CVE is not listed in the KEV catalog.