![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
![When is multiple validation layers of protection necessary? [duplicate]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
IBM OpenPages Vulnerability Let Attackers Steal Authentication Credentials
IBM has addressed multiple high-severity vulnerabilities in its OpenPages Governance, Risk, and Compliance (GRC) platform that could enable attackers to hijack user sessions, steal authentication credentials, and manipulate critical enterprise data. The flaws affect versions 8.3 and 9.0 of the software, with fixes released in February 2025 through Fix Pack 5 for v9.0 and interim […] The post IBM OpenPages Vulnerability Let Attackers Steal Authentication Credentials appeared first on Cyber Security News.
IBM has addressed multiple high-severity vulnerabilities in its OpenPages Governance, Risk, and Compliance (GRC) platform that could enable attackers to hijack user sessions, steal authentication credentials, and manipulate critical enterprise data.
The flaws affect versions 8.3 and 9.0 of the software, with fixes released in February 2025 through Fix Pack 5 for v9.0 and interim patches for v8.3.
Exploitation Pathways and Technical Impact
Among the 10+ documented CVEs, CVE-2024-45613 (CVSS 7.2) in the integrated CKEditor 5 component enables cross-site scripting (XSS) via malicious clipboard content.
This allows session cookie theft by injecting JavaScript payloads into administrative interfaces.
Attackers could combine this with CVE-2024-49779 (CVSS 4.3), which bypasses CSRF protections by swapping session IDs and anti-CSRF tokens between accounts, enabling lateral movement across privileged roles.
The platform’s email notification system introduces two attack vectors:
CVE-2024-49337 (CVSS 5.4): HTML injection in workflow-triggered emails permits phishing payloads using
