CVE-2020-4764

Vulnerability

IBM Planning Analytics 2.0 through version 2.0.9.3 is vulnerable to cross-site request forgery (CSRF). The issue resides in the web interface of the application, which does not properly validate or enforce anti-CSRF tokens on state-changing requests. An attacker can craft a malicious web page that, when visited by an authenticated Planning Analytics user, triggers unintended actions on the application server. The affected versions are all releases prior to 2.0.9.4 [1].

Exploitation

An attacker needs to trick an authenticated user of IBM Planning Analytics into clicking a link or visiting a malicious web page while the user has an active session in the application. No special network position or authentication on the attacker's part is required—the attacker leverages the existing session of the victim user. The attack typically involves crafting a form submission or a cross-origin request that targets a sensitive endpoint within Planning Analytics [1].

Impact

Successful exploitation allows the attacker to execute malicious and unauthorized actions—such as changing user settings, modifying reports, or performing administrative operations—with the privileges of the victim user. The CVSS vector indicates a low impact on integrity (I:L) and no impact on confidentiality or availability (C:N/A:N). The overall CVSS base score is 4.3 (Medium) [1].

Mitigation

IBM has addressed this vulnerability in Planning Analytics version 2.0.9.4, released on 17 December 2020. Users should upgrade to this fixed version immediately. According to IBM, no workarounds or mitigations are available for versions prior to the fix [1].