CVE-2024-47113

High

Published: 18 January 2025

Published

18 January 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0019 40.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47113 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Ibm Voice Gateway. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents XML injection attacks by implementing input validation mechanisms at XML processing entry points to reject specially crafted statements.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by identifying, reporting, and applying vendor-provided patches to remediate the flawed XML processing in affected IBM ICP Voice Gateway versions.

SI-9 Information Input Restrictions partial match

prevent

Complements input validation by enforcing restrictions on XML inputs at system boundaries to block unauthorized or malformed content.

NVD Description

IBM ICP - Voice Gateway 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. 1.0.7, 1.0.7.1, and 1.0.8 could allow remote attacker to send specially crafted XML statements, which would allow them to attacker to view or modify information in the XML document.

Deeper analysisAI

CVE-2024-47113 is an XML injection vulnerability (CWE-91) affecting IBM ICP Voice Gateway versions 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.7.1, and 1.0.8. It enables a remote attacker to send specially crafted XML statements, allowing them to view or modify information within the XML document. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. Successful exploitation allows the attacker to read sensitive data or alter XML content, potentially leading to unauthorized data exposure or manipulation within the affected Voice Gateway component.

The IBM security advisory at https://www.ibm.com/support/pages/node/7175791 provides details on mitigation, including available patches and recommended actions for affected versions.

Details

CWE(s): CWE-91

Affected Products

ibm

voice gateway

1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5

CVEs Like This One

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

CVE-2025-13689Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7175791
Vendor Advisory · psirt@us.ibm.com