CVE-2023-38739

Medium

Published: 31 January 2025

Published

31 January 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0013 31.4th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Security Summary

CVE-2023-38739 is a cross-site request forgery (CSRF) vulnerability, mapped to CWE-352, in IBM Sterling B2B Integrator versions 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3. Published on 2025-01-31, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, user interaction needed, and low integrity impact.

An unauthenticated attacker can exploit this by crafting a malicious webpage or link that, when visited by an authenticated user, triggers unauthorized requests to the vulnerable IBM Sterling B2B Integrator instance. This allows the attacker to execute malicious actions on behalf of the trusted user, such as modifying application state or performing unintended operations, relying on the absence of proper CSRF protections.

IBM's security advisory at https://www.ibm.com/support/pages/node/7182004 provides details on the vulnerability, including recommended patches and mitigation guidance for affected versions. Security practitioners should review this resource promptly to apply updates and implement defenses like CSRF tokens.

Details

CWE(s): CWE-352

Affected Products

ibm

sterling b2b integrator

6.0.0.0 — 6.1.2.5 · 6.2.0.0 — 6.2.0.3

References

https://www.ibm.com/support/pages/node/7182004
Vendor Advisory · psirt@us.ibm.com