IBM Maximo Suite Vulnerable to XML External Entity Injection Attack
CVE-2024-27266

8.2HIGH

Key Information:

Vendor: IBM
Status: Maximo Asset Management
Vendor: CVE Published:; 14 March 2024

What is CVE-2024-27266?

The vulnerability impacts IBM Maximo Application Suite version 7.6.1.3, allowing an XML External Entity Injection (XXE) attack when processing XML data. This security flaw could enable remote attackers to exploit the application, potentially exposing sensitive information and causing excessive memory consumption. Such vulnerabilities can lead to significant security risks if not addressed promptly, making it crucial for users and administrators to implement necessary security measures and apply updates as soon as they are available. For detailed guidance on mitigating this issue, users can refer to IBM's security advisory.

Affected Version(s)

Maximo Asset Management 7.6.1.3

References

https://www.ibm.com/support/pages/node/7141270

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/284566

vdb-entry

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 14, 2024
Vulnerability Reserved
Feb 22, 2024