CVE-2024-28787 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.7 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H
ibm	CNA	8.7 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
ibm	application_gateway	20.01 ≤ 𝑥 ≤ 24.03
ibm	security_verify_access	10.0.0 ≤ 𝑥 ≤ 10.0.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-650 - Trusting HTTP Permission Methods on the Server Side
The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/286584

https://www.ibm.com/support/pages/node/7145828

https://exchange.xforce.ibmcloud.com/vulnerabilities/286584

https://www.ibm.com/support/pages/node/7145828