IBM OpenPages 8.3/9.0 Auth Bypass via Non-Public APIs
CVE-2023-40683 Published on January 19, 2024

IBM OpenPages with Watson privilege escalation
IBM OpenPages with Watson 8.3 and 9.0 could allow remote attacker to bypass security restrictions, caused by insufficient authorization checks. By authenticating as an OpenPages user and using non-public APIs, an attacker could exploit this vulnerability to bypass security and gain unauthorized administrative access to the application. IBM X-Force ID: 264005.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-40683 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVE-2023-40683 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2023-40683

Want to know whenever a new CVE is published for IBM Openpages With Watson? stack.watch will email you.

IBM Openpages With Watson
 

Affected Versions

IBM OpenPages with Watson Version 8.3, 9.0 is affected by CVE-2023-40683

Exploit Probability

EPSS
0.02%
Percentile
6.22%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.