SQL Injection Vulnerability in IBM Contract Management and IBM Emptoris Spend Analysis
CVE-2019-4481

7.6HIGH

Key Information:

Vendor: IBM
Status: Emptoris Spend Analysis; Contract Management
Vendor: CVE Published:; 20 August 2019

Summary

The vulnerability exists in IBM Contract Management and IBM Emptoris Spend Analysis versions 10.1.0 through 10.1.3 due to improper handling of user inputs. An attacker could exploit this flaw by sending specially crafted SQL statements, which may result in unauthorized access to the back-end database. This could allow the attacker to view, add, modify, or delete sensitive information, jeopardizing data integrity and confidentiality.

Affected Version(s)

Contract Management 10.1.0

Contract Management 10.1.3

Emptoris Spend Analysis 10.1.0

References

https://www.ibm.com/support/docview.wss?uid=ibm10880223

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/164064

vdb-entryx_refsource_XF

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 20, 2019
Vulnerability Reserved
Jan 3, 2019