Cross-Domain Resource Manipulation in IBM Cloud Orchestrator
CVE-2015-7494
2.8LOW
Summary
A vulnerability has been discovered in IBM Cloud Orchestrator that allows an authenticated domain admin user to exploit the /services/[action]/launch API. This flaw enables the user to manipulate cross-domain resources, given that they possess access to the resource identifier from a different domain. Such permissions can lead to unauthorized access or alterations of sensitive resources, increasing potential security risks. Proper access controls and validations are essential to mitigate this vulnerability.
Affected Version(s)
Cloud Orchestrator 2.2
Cloud Orchestrator 2.2.0.1
Cloud Orchestrator 2.3
References
CVSS V3.1
Score:
2.8
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved