Login Sign Up

CVE-2024-40696

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator that allows privileged users to inject malicious JavaScript into the web interface. The vulnerability could lead to credential theft or session hijacking when victims interact with the compromised interface. Only users with administrative or privileged access to the affected IBM Sterling B2B Integrator systems are impacted.

💻 Affected Systems

Products:
  • IBM Sterling B2B Integrator Standard Edition
Versions: 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires privileged user access to exploit; affects web UI components.

📦 What is this software?

Sterling B2b Integrator by Ibm

View all CVEs affecting Sterling B2b Integrator →

Sterling B2b Integrator by Ibm

View all CVEs affecting Sterling B2b Integrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker steals administrator credentials, gains full system control, and exfiltrates sensitive B2B transaction data.

🟠

Likely Case

Privileged insider or compromised admin account steals session cookies or credentials of other users, leading to unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated privileged access; XSS payloads are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM fix packs as specified in advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7182011

Restart Required: Yes

Instructions:

1. Review IBM advisory. 2. Download appropriate fix pack from IBM Fix Central. 3. Apply fix pack following IBM installation guide. 4. Restart IBM Sterling B2B Integrator services.

🔧 Temporary Workarounds

Implement Content Security Policy (CSP)

all

Add CSP headers to restrict script execution sources

Configure web server (e.g., Apache, IIS) to include: Content-Security-Policy: script-src 'self'

Input Validation Sanitization

all

Implement server-side validation and output encoding for user inputs

Implement input validation libraries (e.g., OWASP Java Encoder) in application code

🧯 If You Can't Patch

  • Restrict privileged user accounts to minimum necessary personnel
  • Implement web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check IBM Sterling B2B Integrator version against affected ranges in console or configuration files

Check Version:

Check version in IBM Sterling administration console or review installation logs

Verify Fix Applied:

Verify installed fix pack version matches IBM advisory recommendations

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript payloads in web request logs
  • Multiple failed XSS attempts from same user

Network Indicators:

  • Suspicious outbound connections following admin UI access

SIEM Query:

source="web_logs" AND (url="*<script>*" OR user_agent="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-40696
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: January 31, 2025
Last Updated: March 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40696, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)