CVE-2020-4271

MEDIUM

IBM Qradar Security Information And E... - Insecure Deserialization

Title source: rule

Description

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. IBM X-ForceID: 175897.

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157336/QRadar-Community-Edition-7.3.1.6-PHP-Object-Injection.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/Apr/39

[VDB Entry, Vendor Advisory] https://exchange.xforce.ibmcloud.com/vulnerabilities/175897

[Vendor Advisory] https://www.ibm.com/support/pages/node/6189651

Scores

CVSS v3 6.3

EPSS 0.0059

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502

Status published

Affected Products (4)

ibm/qradar_security_information_and_event_manager < 7.3.3

ibm/qradar_security_information_and_event_manager

Timeline

Published Apr 15, 2020

Tracked Since Feb 18, 2026