CVE-2018-1443
MEDIUMIBM Security Access Manager 9.0.0-9.0.4 & Tivoli Federated Identity Manager 6.0.2-6.2 - SAML User Impersonation
Title source: llmDescription
An XML parsing vulnerability affects IBM SAML-based single sign-on (SSO) systems (IBM Security Access Manager 9.0.0 - 9.0.4 and IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.) This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim users password. IBM X-Force ID: 139754.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040454
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040455
VDB Entry, Vendor Advisory vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/139754
Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22014160
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103365
Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22014161
Scores
CVSS v3
5.9
EPSS
0.0041
EPSS Percentile
33.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-287
Status
published
Products (4)
ibm/security_access_manager
9.0.0 - 9.0.4
ibm/tivoli_federated_identity_manager
6.2.0
ibm/tivoli_federated_identity_manager
6.2.1
ibm/tivoli_federated_identity_manager
6.2.2
Published
Mar 08, 2018
Tracked Since
Feb 18, 2026