CVE-2020-4727
Vulnerability Scoring
Attack Complexity Details
- Attack Complexity: Low Impact
- Attack Vector: NETWORK
- Privileges Required: None
- Scope: CHANGED
- User Interaction: REQUIRED
CIA Impact Definition
- Confidentiality: Low Impact
- Integrity: Low Impact
- Availability:
CVE-2020-4727 Vulnerability Summary
IBM InfoSphere Information Server 11.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
Access Complexity Graph for CVE-2020-4727
Impact Analysis for CVE-2020-4727
Exploit Prediction Scoring System - (EPSS)
The EPSS score estimates the probability that this vulnerability will be exploited in the near future.
EPSS Score: 0.094% (probability of exploit)
EPSS Percentile: 41.78%
(lower percentile = lower relative risk)
This vulnerability is less risky than approximately 58.22% of others.
CVE-2020-4727 Detailed Information and External References
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/187976
- https://www.ibm.com/support/pages/node/6336897
CWE
CWE-1021CAPEC
- Clickjacking CAPEC-103 An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.
- Flash File Overlay CAPEC-181 An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.
- iFrame Overlay CAPEC-222 In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
- Task Impersonation CAPEC-504 An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.
- Tapjacking CAPEC-506 An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.
- Cross Frame Scripting (XFS) CAPEC-587 This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
- Credential Prompt Impersonation CAPEC-654 An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.
Vulnerable Configurations
-
cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
CVSS3 Source
nvd@nist.gov
CVSS3 Type
Primary
CVSS3 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Protect Your Infrastructure: Combat Critical CVE Threats
Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.
Other Recently Published CVEs
- CVE-2025-0001 – Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability.
- CVE-2025-1381 – A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been classified as critical. This affects an unknown ...
- CVE-2025-1380 – A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of...
- CVE-2025-1379 – A vulnerability has been found in code-projects Real Estate Property Management System 1.0 and classified as critical. Affected by this vulnerabili...
- CVE-2025-1378 – A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Affected is an unknown function in the library /libr/main/r...
- CVE-2024-47935 – Improper Validation of Integrity Check Value vulnerability in TXOne Networks StellarProtect (Legacy Mode), StellarEnforce, and Safe Lock allows an ...
- CVE-2024-13726 – The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action ...
- CVE-2024-13627 – The OWL Carousel Slider WordPress plugin through 2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a R...
- CVE-2024-13626 – The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the pag...
- CVE-2024-13625 – The Tube Video Ads Lite WordPress plugin through 1.5.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a...