CVE-2020-4640

MEDIUM

IBM API Connect Sensitive Information Exposure via URL Fragment Identifiers

Title source: llm
STIX 2.1

Description

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.ibm.com/support/pages/node/6410486
VDB Entry, Vendor Advisory vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/185510

Scores

CVSS v3 4.1
EPSS 0.0035
EPSS Percentile 26.7%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-200
Status published
Products (3)
ibm/api_connect 10.0.0.0
ibm/api_connect 10.0.1.0
ibm/api_connect 2018.4.1.0 - 2018.4.1.13
Published Feb 04, 2021
Tracked Since Feb 18, 2026