IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause a denial of service (web-service outage) by making many login attempts with a valid caseworker account name.
2015-04-27T11:59:02.433
2025-04-12T10:46:40.837
Deferred
CVSSv2: 5.0 (MEDIUM)
AV:N/AC:L/Au:N/C:N/I:N/A:P
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | ibm | curam_social_program_management | ≤ 5.2 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.0 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.1 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.2 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.3 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.4 | Yes |
| Application | ibm | curam_social_program_management | 6.0.4.5 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.0 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.1 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.2 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.3 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.4 | Yes |
| Application | ibm | curam_social_program_management | 6.0.5.5 | Yes |