IBM Tivoli Storage Productivity Center Cross Site Request Forgery Vulnerability

Summary

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Utilizing the application back button users can remain logged in as the current user for a short period of time, therefore users are presented with information for Spectrum Control Application. IBM X-Force ID: 157064.

Credit:

The information has been provided by IBM.
The original article can be found at:http://www.ibm.com/support/docview.wss?uid=ibm10873036


Details

IBM Tivoli Storage Productivity Center is prone to a cross-site request forgery (CSRF) vulnerability. This allows a remote attacker to forces an authenticated user to execute unwanted actions on a web application in which they’re currently logged in.
Vulnerable Systems:

  • IBM Tivoli Storage Productivity Center 5.2.0
  • IBM Spectrum Control 5.2.8
  • IBM Spectrum Control 5.3.0
  • IBM Spectrum Control 5.3.1

CVE Information:
CVE-2019-4072

Disclosure Timeline:
Publish Date:05/09/2019