Connect with us

Business

IBM Security Verify Access Flaw Let Attacker Launch Phishing Attacks

Published

on

An Open-redirect vulnerability was discovered by IBM, which could allow threat actors to spoof the original URL of IBM Security Verify Access to lure victims into a malicious website and steal sensitive information.

IBM Security Verify Access offers a comprehensive solution for managing network security policies and authorization. It ensures complete protection of resources across intranets and extranets, even when they are geographically dispersed.

With IBM Security Verify Access, you gain access to a range of features, including authentication, authorization, data security, and centralized resource management.

This vulnerability is present due to the default configuration of the AAC (Advanced Access Control) module. IBM mentioned that the patch to fix this vulnerability already exists which can be used by users to prevent it from getting exploited.

CVE-2023-30433: IBM Security Verify Access HTTP open redirect

This vulnerability exists in the IBM Security Verify Access 10.0 versions which an attacker can use to conduct phishing attacks with a specially crafted URL.

Successful exploitation of this vulnerability can let an attacker obtain highly sensitive information from the victims. The CVSS score for this vulnerability is given as 5.4 (Medium).

Affected Products

Affected Product(s)Version(s)
IBM Security Verify Access Appliance10.0.X
IBM Security Verify Access Docker10.0.X

Remediation

To fix this vulnerability, the sps.targetURLWhitelist property in the IBM Security Verify Access products must be modified with a list of comma-separated whitelisting URLs. This prevents the redirection from happening.

Users of these products are recommended to apply the necessary fixes for patching this vulnerability.

Source: https://cybersecuritynews.com/ibm-security-verify-access-flaw/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO