CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-3744 77 2017-06-19 2017-07-05
4.0
None Remote Low Single system Partial None None
In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.
2 CVE-2017-1504 254 2017-08-03 2017-08-05
4.0
None Remote Low Single system Partial None None
IBM WebSphere Application Server version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable AES password encryption. IBM X-Force ID: 129579.
3 CVE-2017-1500 79 XSS 2017-08-01 2017-08-04
4.3
None Remote Medium Not required None Partial None
A Reflected Cross Site Scripting (XSS) vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parameter is "scope"; if you set as its value a "realm" not defined in authenticationConfig.xml, you get an HTTP 403 Forbidden response and the value will be reflected in the body of the HTTP response. By setting it to arbitrary JavaScript code it is possible to modify the flow of the authorization function, potentially leading to credential disclosure within a trusted session.
4 CVE-2017-1496 79 XSS 2017-07-31 2017-08-03
3.5
None Remote Medium Single system None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128694.
5 CVE-2017-1495 119 Overflow 2017-08-02 2017-08-03
4.0
None Remote Low Single system Partial None None
IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a privileged user to cause a memory dump that could contain highly sensitive information including access credentials. IBM X-Force ID: 128693.
6 CVE-2017-1468 264 +Priv 2017-08-02 2017-08-04
4.6
None Local Low Not required Partial Partial Partial
IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a local user to gain elevated privileges by placing arbitrary files in installation directories. IBM X-force ID: 128467.
7 CVE-2017-1467 264 2017-08-02 2017-08-03
6.8
None Remote Medium Not required Partial Partial Partial
A network layer security vulnerability in InfoSphere Information Server 9.1, 11.3, and 11.5 can lead to privilege escalation or unauthorized access. IBM X-Force ID: 128466.
8 CVE-2017-1460 20 2017-07-31 2017-08-03
5.0
None Remote Low Not required None None Partial
IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router spoofs its origin. Routing tables are affected by a missing LSA, which may lead to loss of connectivity. IBM X-Force ID: 128379.
9 CVE-2017-1431 79 XSS 2017-08-10 2017-08-18
3.5
None Remote Medium Single system None Partial None
IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127632.
10 CVE-2017-1398 601 +Info 2017-07-10 2017-07-17
5.8
None Remote Medium Not required Partial Partial None
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 127385.
11 CVE-2017-1386 264 Bypass 2017-07-31 2017-08-03
4.3
None Remote Medium Not required Partial None None
IBM API Connect 5.0.0.0 could allow a user to bypass policy restrictions and create non-compliant passwords which could be intercepted and decrypted using man in the middle techniques. IBM X-Force ID: 127160.
12 CVE-2017-1383 611 2017-08-02 2017-08-04
6.4
None Remote Low Not required Partial None Partial
IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155.
13 CVE-2017-1382 264 2017-07-24 2017-07-27
3.6
None Local Low Not required Partial Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact. IBM X-Force ID: 127153.
14 CVE-2017-1381 200 +Info 2017-07-21 2017-07-31
2.1
None Local Low Not required Partial None None
IBM WebSphere Application Server Proxy Server or On-demand-router (ODR) 7.0, 8.0, 8.5, 9.0 and could allow a local attacker to obtain sensitive information, caused by stale data being cached and then served. IBM X-Force ID: 127152.
15 CVE-2017-1380 79 XSS 2017-07-24 2017-07-27
3.5
None Remote Medium Single system None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127151.
16 CVE-2017-1379 200 +Info 2017-06-15 2017-06-22
5.0
None Remote Low Not required Partial None None
IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensitive information, caused by improper handling of requests to the Developer Portal. IBM X-Force ID: 127002.
17 CVE-2017-1377 200 +Info 2017-08-10 2017-08-18
4.0
None Remote Low Single system Partial None None
IBM Runbook Automation reveals sensitive information in error messages that could be used in further attacks against the system. IBM X-Force ID: 126874.
18 CVE-2017-1374 200 +Info 2017-07-21 2017-07-25
4.0
None Remote Low Single system Partial None None
Sensitive data can be exposed in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 that can lead to an attacker gaining unauthorized access to the system. IBM X-Force ID: 126867.
19 CVE-2017-1373 284 2017-07-21 2017-07-25
6.5
None Remote Low Single system Partial Partial Partial
Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allow an authenticated user to execute a report they do not have access to. IBM X-Force ID: 126866.
20 CVE-2017-1372 79 XSS 2017-07-21 2017-07-25
3.5
None Remote Medium Single system None Partial None
IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126865.
21 CVE-2017-1371 284 2017-07-21 2017-07-25
6.5
None Remote Low Single system Partial Partial Partial
Builder tools running in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allow an authenticated user to execute Builder tool actions they do not have access to. IBM X-Force ID: 126864.
22 CVE-2017-1370 284 2017-07-31 2017-08-07
4.0
None Remote Low Single system Partial None None
IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive information, including user credentials, through an error message from the Report Builder administrator configuration page. IBM X-Force ID: 126863.
23 CVE-2017-1349 200 +Info 2017-06-23 2017-06-27
2.1
None Local Low Not required Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2 stores potentially sensitive information from HTTP sessions that could be read by a local user. IBM X-Force ID: 126525.
24 CVE-2017-1348 79 XSS 2017-06-23 2017-06-26
3.5
None Remote Medium Single system None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126524.
25 CVE-2017-1347 89 Sql 2017-06-23 2017-06-26
6.5
None Remote Low Single system Partial Partial Partial
IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126462.
26 CVE-2017-1337 255 2017-07-10 2017-07-13
4.3
None Remote Medium Not required Partial None None
IBM WebSphere MQ 9.0.1 and 9.0.2 Java/JMS application can incorrectly transmit user credentials in plain text. IBM X-Force ID: 126245.
27 CVE-2017-1332 79 XSS 2017-07-31 2017-08-03
4.3
None Remote Medium Not required None Partial None
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126234.
28 CVE-2017-1331 79 XSS 2017-08-04 2017-08-09
3.5
None Remote Medium Single system None Partial None
IBM Content Navigator 2.0.3 and 3.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126233.
29 CVE-2017-1328 284 Bypass 2017-06-27 2017-07-05
5.0
None Remote Low Not required None Partial None
IBM API Connect 5.0.0.0 - 5.0.6.0 could allow a remote attacker to bypass security restrictions of the api, caused by improper handling of security policy. By crafting a suitable request, an attacker could exploit this vulnerability to bypass security and use the vulnerable API. IBM X-Force ID: 126230.
30 CVE-2017-1327 79 XSS 2017-08-03 2017-08-05
4.3
None Remote Medium Not required None Partial None
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126062.
31 CVE-2017-1326 284 2017-06-22 2017-06-30
4.0
None Remote Low Single system None Partial None
IBM Sterling File Gateway does not properly restrict user requests based on permission level. This allows for users to update data related to other users, by manipulating the parameters passed in the POST request. IBM X-Force ID: 126060.
32 CVE-2017-1325 79 XSS 2017-05-26 2017-07-07
4.3
None Remote Medium Not required None Partial None
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125976.
33 CVE-2017-1322 611 2017-06-27 2017-07-05
6.4
None Remote Low Not required Partial None Partial
IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125918.
34 CVE-2017-1321 79 XSS 2017-07-12 2017-07-17
4.3
None Remote Medium Not required None Partial None
IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125916.
35 CVE-2017-1320 79 XSS 2017-05-22 2017-07-07
3.5
None Remote Medium Single system None Partial None
IBM Tivoli Federated Identity Manager 6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125732.
36 CVE-2017-1319 326 2017-06-08 2017-07-07
5.0
None Remote Low Not required Partial None None
IBM Tivoli Federated Identity Manager 6.2 is affected by a vulnerability due to a missing secure attribute in encrypted session (SSL) cookie. IBM X-Force ID: 125731.
37 CVE-2017-1318 78 Exec Code 2017-07-18 2017-07-28
9.0
None Remote Low Single system Complete Complete Complete
IBM MQ Appliance 8.0 and 9.0 could allow an authenticated messaging administrator to execute arbitrary commands on the system, caused by command execution. IBM X-Force ID: 125730.
38 CVE-2017-1310 119 Overflow 2017-06-29 2017-07-06
4.0
None Remote Low Single system None None Partial
IBM Informix Dynamic Server 12.1 could allow an authenticated user to cause a buffer overflow that would write large assertion fail files to the server. Done enough times, this could use large parts of the file system and cause the server to crash. IBM X-Force ID: 125569.
39 CVE-2017-1309 200 +Info 2017-07-19 2017-07-25
2.1
None Local Low Not required Partial None None
IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 125463.
40 CVE-2017-1308 284 2017-07-13 2017-07-19
4.0
None Remote Low Single system Partial None None
IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 could allow an authenticated attacker to download files they should not have access to due to improper access controls. IBM X-Force ID: 125462.
41 CVE-2017-1305 79 XSS 2017-06-07 2017-06-14
3.5
None Remote Medium Single system None Partial None
IBM DOORS Next Generation (DNG/RRC) 6.0.2 and 6.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125459.
42 CVE-2017-1304 119 DoS Overflow Mem. Corr. 2017-06-21 2017-07-06
4.6
None Local Low Not required Partial Partial Partial
IBM has identified a vulnerability with IBM Spectrum Scale/GPFS utilized on the Elastic Storage Server (ESS)/GPFS Storage Server (GSS) during testing of an unsupported configuration, where users applications are running on an active ESS I/O server node and utilize direct I/O to perform a read or a write to a Spectrum Scale file. This vulnerability may result in the use of an incorrect memory address, leading to a Spectrum Scale/GPFS daemon failure with a Signal 11, and possibly leading to denial of service or undetected data corruption. IBM X-Force ID: 125458.
43 CVE-2017-1303 79 XSS 2017-07-31 2017-08-02
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125457.
44 CVE-2017-1302 200 +Info 2017-06-23 2017-06-26
2.1
None Local Low Not required Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local user view sensitive information due to improper access controls. IBM X-Force ID: 125456.
45 CVE-2017-1297 119 Exec Code Overflow 2017-06-27 2017-08-11
4.4
None Local Medium Not required Partial Partial Partial
IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code. IBM X-Force ID: 125159.
46 CVE-2017-1292 200 +Info 2017-05-26 2017-05-31
5.0
None Remote Low Not required Partial None None
IBM Maximo Asset Management 7.5 and 7.6 generates error messages that could reveal sensitive information that could be used in further attacks against the system. IBM X-Force ID: 125153.
47 CVE-2017-1291 79 XSS Http R.Spl. +Info 2017-05-26 2017-05-31
3.5
None Remote Medium Single system None Partial None
IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 125152.
48 CVE-2017-1289 611 2017-05-22 2017-06-02
6.4
None Remote Low Not required Partial None Partial
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.
49 CVE-2017-1287 601 +Info 2017-07-24 2017-07-28
4.9
None Remote Medium Single system Partial Partial None
IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
50 CVE-2017-1285 20 2017-07-12 2017-07-17
4.0
None Remote Low Single system None None Partial
IBM WebSphere MQ 9.0.1 and 9.0.2 could allow an authenticated user with authority to send a specially crafted message that would cause a channel to remain in a running state but not process messages. IBM X-Force ID: 125146.
Total number of vulnerabilities : 3476   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.