CVE-2018-1821

HIGH

IBM Operational Decision Manager 8.6.0.0-8.6.0.2 - XML External Entity Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1821. PoCs published by Mohamed M.Fouad.

AI-analyzed exploit summary The exploit demonstrates XML External Entity (XXE) injection in IBM BPM, allowing port scanning and external DTD file inclusion. It includes two functional PoCs with crafted HTTP requests containing malicious XML payloads.

Description

IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mohamed M.Fouad · textwebappsmultiple
https://www.exploit-db.com/exploits/46017

The exploit demonstrates XML External Entity (XXE) injection in IBM BPM, allowing port scanning and external DTD file inclusion. It includes two functional PoCs with crafted HTTP requests containing malicious XML payloads.

Classification
Working Poc 95%
Attack Type
Xxe
Complexity
Moderate
Reliability
Reliable
Target: IBM Business Process Manager (BPM) v8.6 - v8.9
Auth required
Prerequisites: Access to IBM BPM REST API · Valid authentication credentials (JSESSIONID, LtpaToken2)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
https://www.ibm.com/support/docview.wss?uid=ibm10744149
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106325
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46017/
VDB Entry, Vendor Advisory vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/150170

Scores

CVSS v3 7.1
EPSS 0.1580
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Details

CWE
CWE-611
Status published
Products (1)
ibm/operational_decision_manager 8.6.0.0 - 8.6.0.3
Published Dec 13, 2018
Tracked Since Feb 18, 2026