3.1 CVE-2025-14811

Enriched by CISA
 

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
https://nvd.nist.gov/vuln/detail/CVE-2025-14811

Categories

CWE-598 : Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) When sensitive information is sent, use the POST method (e.g. registration form). A discussion platform leaks private information in GET requests.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
IBM Sterling Partner Engagement Manager
  • 6.2.3.0 ≤ 6.2.3.5 [affected]
  • 6.2.4.0 ≤ 6.2.4.2 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry