6.3

CVE-2020-4555

IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmFinancial Transaction Manager Version2.1.1.0 SwPlatformcps_services
IbmFinancial Transaction Manager Version3.0.0 SwPlatformcheck_services
IbmFinancial Transaction Manager Version3.0.2 SwPlatformcheck_services
IbmFinancial Transaction Manager Version3.0.2 SwPlatformcps_services
IbmFinancial Transaction Manager Version3.0.5 SwPlatformcheck_services
IbmFinancial Transaction Manager Version3.0.6 SwPlatformach_services
IbmFinancial Transaction Manager Version3.1.0 SwPlatformach_services
IbmFinancial Transaction Manager Version3.2.1 SwPlatformcps_services
IbmFinancial Transaction Manager Version3.2.2 SwPlatformdigital_payments
IbmFinancial Transaction Manager Version3.2.3 SwPlatformdigital_payments
IbmFinancial Transaction Manager Version3.2.4 SwPlatformcps_services
IbmFinancial Transaction Manager Version3.2.4 SwPlatformdigital_payments
IbmFinancial Transaction Manager Version3.2.4 SwPlatformhigh_value
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.464
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:P/A:N
psirt@us.ibm.com 6.3 2.8 3.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.