IBM Maximo URLs Leak Sensitive Data (v8.10-8.11, 7.6.1.3)
CVE-2023-32335 Published on March 13, 2024
IBM Maximo Application Suite information disclosure
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.
Vulnerability Analysis
CVE-2023-32335 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that requests. The query string can be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.
Products Associated with CVE-2023-32335
stack.watch emails you whenever new vulnerabilities are published in IBM Maximo Asset Management or IBM Maximo Application Suite. Just hit a watch button to start following.
Affected Versions
IBM Maximo Application Suite:- Version 8.10, 8.11 is affected.
- Version 7.6.1.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.