| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2566 |
310 |
|
|
2013-03-15 |
2013-04-19 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
|
2 |
CVE-2013-0572 |
79 |
|
XSS |
2013-04-26 |
2013-05-01 |
2.3 |
None |
Local Network |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors. |
|
3 |
CVE-2013-0571 |
79 |
|
XSS |
2013-04-26 |
2013-04-29 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
4 |
CVE-2013-0466 |
79 |
|
XSS |
2013-02-20 |
2013-02-20 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Message Broker 7.0 before 7.0.0.6 and 8.0 before 8.0.0.2, when wsdl support is enabled on a SOAPInput node, allows remote attackers to inject arbitrary web script or HTML via a wsdl request that is not properly handled during construction of an error message. |
|
5 |
CVE-2012-5307 |
79 |
|
XSS |
2012-10-08 |
2012-10-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in servlet/traveler in IBM Lotus Notes Traveler before 8.5.3.3 Interim Fix 1, when Firefox is used, allows remote attackers to inject arbitrary web script or HTML via the redirectURL parameter, a different vulnerability than CVE-2012-4824 and CVE-2012-4825. |
|
6 |
CVE-2012-4862 |
255 |
|
+Info |
2012-12-05 |
2013-04-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Host Connect emulator in IBM Rational Developer for System z 7.1 through 8.5.1 does not properly store the SSL certificate password, which allows local users to obtain sensitive information via unspecified vectors. |
|
7 |
CVE-2012-4833 |
264 |
|
|
2012-10-01 |
2013-02-13 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
fuser in IBM AIX 6.1 and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, does not properly restrict the -k option, which allows local users to kill arbitrary processes via a crafted command line. |
|
8 |
CVE-2012-3300 |
399 |
|
DoS |
2012-09-25 |
2012-10-15 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
IBM WebSphere Commerce 7.0 before 7.0.0.6, when persistent sessions and personalization IDs are enabled, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors. |
|
9 |
CVE-2012-0717 |
287 |
|
Bypass |
2012-06-20 |
2012-06-21 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client authentication is used, allows remote attackers to bypass X.509 client-certificate authentication via unspecified vectors. |
|
10 |
CVE-2011-5066 |
200 |
|
+Info |
2012-01-14 |
2012-02-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file. |
|
11 |
CVE-2011-3982 |
399 |
|
DoS |
2011-10-04 |
2012-05-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The Fibre Channel driver for QLogic adapters in IBM AIX 6.1 and 7.1 does not properly handle DMA resource limitations, which allows local users to cause a denial of service (system hang) via vectors that generate a large amount of DMA I/O, related to a deadlock in timer processing across CPUs. |
|
12 |
CVE-2011-1822 |
255 |
|
+Info |
2011-04-21 |
2011-04-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The LDAP_ADD implementation in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0009 stores a cleartext SHA password in the change log, which might allow local users to obtain sensitive information by reading this log. |
|
13 |
CVE-2011-1356 |
200 |
|
+Info |
2011-07-19 |
2011-07-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request. |
|
14 |
CVE-2011-1307 |
264 |
|
|
2011-03-08 |
2011-04-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173. |
|
15 |
CVE-2010-4548 |
20 |
|
DoS |
2010-12-16 |
2010-12-17 |
2.1 |
None |
Remote |
High |
Single system |
None |
None |
Partial |
|
IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated users to cause a denial of service (daemon crash) by accepting a meeting invitation with an iNotes client and then accepting this meeting invitation with an iPhone client. |
|
16 |
CVE-2010-3735 |
399 |
|
DoS |
2010-10-05 |
2012-01-26 |
2.1 |
None |
Remote |
High |
Single system |
None |
None |
Partial |
|
The "Query Compiler, Rewrite, Optimizer" component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted query involving certain UNION ALL views, leading to an indefinitely large amount of compilation time. |
|
17 |
CVE-2010-1487 |
255 |
|
+Info |
2010-04-20 |
2012-01-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Lotus Notes 7.0, 8.0, and 8.5 stores administrative credentials in cleartext in SURunAs.exe, which allows local users to obtain sensitive information by examining this file, aka SPR JSTN837SEG. |
|
18 |
CVE-2010-0777 |
20 |
|
+Info |
2010-05-17 |
2010-05-26 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file. |
|
19 |
CVE-2009-5085 |
264 |
|
Bypass |
2011-08-12 |
2012-04-25 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when configured as an OpenID provider, does not delete the site information cookie in response to a user's deletion of a relying-party trust entry, which allows user-assisted remote attackers to bypass intended trust restrictions via vectors that trigger absence of the consent-to-authenticate page. |
|
20 |
CVE-2009-5061 |
|
|
DoS |
2011-03-22 |
2011-03-24 |
2.1 |
None |
Remote |
High |
Single system |
None |
None |
Partial |
|
Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.14 services for Lotus Domino, when Domino Native Authentication is enabled, might allow remote authenticated users to cause a denial of service (daemon crash) by going offline, aka SPR MLZG7UPB9N. |
|
21 |
CVE-2009-4998 |
264 |
|
Bypass |
2010-09-20 |
2010-09-21 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-019 and 4.0.2.x before 4.0.2.7-P8AE-FP007, in certain FileTracker configurations, does not apply a security policy to the first document added during a session, which might allow remote attackers to bypass intended access restrictions via unspecified vectors. |
|
22 |
CVE-2009-2743 |
|
|
+Info |
2009-09-21 |
2010-12-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properly handle an exception occurring after use of wsadmin scripts and configuration of JAAS-J2C Authentication Data, which allows local users to obtain sensitive information by reading the First Failure Data Capture (FFDC) log file. |
|
23 |
CVE-2009-2089 |
16 |
|
+Info |
2009-08-13 |
2009-09-02 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
|
The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file. |
|
24 |
CVE-2009-2087 |
255 |
|
DoS |
2009-08-13 |
2009-08-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial of service (deployment failure) via unspecified vectors. |
|
25 |
CVE-2009-1905 |
287 |
|
Bypass |
2009-06-03 |
2009-10-01 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors. |
|
26 |
CVE-2009-1292 |
200 |
|
+Info |
2009-04-14 |
2009-04-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
UCM-CQ in IBM Rational ClearCase 7.0.0.x before 7.0.0.5, 7.0.1.x before 7.0.1.4, and 7.1.x before 7.1.0.1 on Linux and AIX places a username and password on the command line, which allows local users to obtain credentials by listing the process. |
|
27 |
CVE-2009-1173 |
264 |
|
|
2009-03-31 |
2009-06-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. |
|
28 |
CVE-2009-0504 |
200 |
|
+Info |
2009-02-17 |
2009-02-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
WSPolicy in the Web Services component in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.1 does not properly recognize the IDAssertion.isUsed binding property, which allows local users to discover a password by reading a SOAP message. |
|
29 |
CVE-2009-0503 |
255 |
|
+Info |
2009-02-13 |
2009-03-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Message Broker 6.1.x before 6.1.0.2 writes a database connection password to the Event Log and System Log during exception handling for a JDBC error, which allows local users to obtain sensitive information by reading these logs. |
|
30 |
CVE-2009-0433 |
|
|
DoS |
2009-02-10 |
2009-02-11 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service (daemon crash) via unknown vectors, related to a mishandling of client read failures in which clients receive many 500 HTTP error responses and backend servers are incorrectly labeled as down. |
|
31 |
CVE-2008-7261 |
255 |
|
+Info |
2010-09-20 |
2010-09-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-010 records DEBUG messages containing user credentials in the log4j.xml file, which might allow local users to obtain sensitive information by reading this file. |
|
32 |
CVE-2008-5228 |
79 |
|
XSS |
2008-11-25 |
2009-08-12 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Workplace Content Management (WCM) 6.0G and 6.1 before CF8, when a Page Navigation Component shows menu entries, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters in the URI, related to parameters "not being encoded." |
|
33 |
CVE-2008-4807 |
255 |
|
+Info |
2008-10-31 |
2008-11-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Lotus Connections 2.x before 2.0.1 stores the password for the administrative user in the trace.log file, which allows local users to obtain sensitive information by reading this file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
34 |
CVE-2008-3894 |
200 |
|
+Info |
2008-09-03 |
2009-01-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Lenovo firmware 7CETB5WW 2.05 stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer. |
|
35 |
CVE-2008-0740 |
264 |
|
+Info |
2008-02-12 |
2009-09-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) before 6.0.2 Fix Pack 25 (6.0.2.25) and 6.1 before Fix Pack 15 (6.1.0.15) writes unspecified cleartext information to http_plugin.log, which might allow local users to obtain sensitive information by reading this file. |
|
36 |
CVE-2008-0441 |
|
|
+Info |
2008-01-24 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Business Service Manager (TBSM) 4.1.1 stores passwords in cleartext (1) after external authentication, which triggers writing the password to SM_server.log; and (2) after a reconfig action; which allows local users to obtain sensitive information. |
|
37 |
CVE-2007-6680 |
|
|
|
2008-01-10 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Trusted Execution in IBM AIX 6.1 uses an incorrect pathname argument in a call to the trustchk_block_write function, which might allow local users to modify trusted files, related to an error in the support for links in the TSD_FILES_LOCK policy. |
|
38 |
CVE-2007-6363 |
79 |
|
XSS |
2007-12-14 |
2008-11-15 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
IBM Tivoli Netcool Security Manager 1.3.0 before Interim Fix 1, when using Active Directory (AD) LDAP authentication, allows remote attackers to obtain login access via unspecified vectors without entering a password. |
|
39 |
CVE-2007-5819 |
264 |
|
|
2007-11-05 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
IBM Tivoli Continuous Data Protection for Files (CDP) 3.1.0 uses weak permissions (unrestricted write) for the Central Admin Global download directory, which allows local users to place arbitrary files into a location used for updating CDP clients. |
|
40 |
CVE-2007-5701 |
310 |
|
Bypass +Info |
2007-10-29 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Incomplete blacklist vulnerability in the Certificate Authority (CA) in IBM Lotus Domino before 7.0.3 allows local users, or attackers with physical access, to obtain sensitive information (passwords) when an administrator enters a "ca activate" or "ca unlock" command with any uppercase character, which bypasses a blacklist designed to suppress password logging, resulting in cleartext password disclosure in the console log and Admin panel. |
|
41 |
CVE-2007-4271 |
22 |
|
Dir. Trav. |
2007-08-18 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local users to create arbitrary files via a .. (dot dot) in an unspecified environment variable, which is appended to "/tmp/" and used as a log file. NOTE: this issue might be related to symlink following. |
|
42 |
CVE-2006-6607 |
|
|
|
2006-12-17 |
2008-09-05 |
2.7 |
None |
Local Network |
Low |
Single system |
Partial |
None |
None |
|
The Java Key Store (JKS) for WebSphere Application Server (WAS) for IBM Tivoli Identity Manager (ITIM) 4.6 places the JKS password in a -Djavax.net.ssl.trustStorePassword command line argument, which allows local users to obtain the password by listing the process or using other methods. |
|
43 |
CVE-2006-5004 |
|
|
|
2006-09-26 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in the rdist command in IBM AIX 5.2.0 and 5.3.0 allows local users to overwrite arbitrary files via unspecified vectors. |
|
44 |
CVE-2006-3858 |
|
|
|
2006-08-08 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Informix Dynamic Server (IDS) before 9.40.xC8 and 10.00 before 10.00.xC4 stores passwords in plaintext in shared memory, which allows local users to obtain passwords by reading the memory (product defects 171893, 171894, 173772). |
|
45 |
CVE-2006-3856 |
|
|
DoS |
2006-08-08 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10.00.xC3 allows local users to cause a denial of service (crash) via unspecified vectors. |
|
46 |
CVE-2005-4869 |
|
|
DoS |
2005-12-31 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The (1) to_char and (2) to_date function in IBM DB2 8.1 allows local users to cause a denial of service (application crash) via an empty string in the second parameter, which causes a null pointer dereference. |
|
47 |
CVE-2005-4868 |
200 |
|
DoS +Info |
2005-12-31 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Shared memory sections and events in IBM DB2 8.1 have default permissions of read and write for the Everyone group, which allows local users to gain unauthorized access, gain senstitive information, such as cleartext passwords, and cause a denial of service. |
|
48 |
CVE-2005-4273 |
|
|
|
2005-12-15 |
2011-09-06 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Multiple unspecified vulnerabilities in (1) getShell and (2) getCommand in IBM AIX 5.3 allow local users to append to arbitrary files. |
|
49 |
CVE-2005-3568 |
|
|
DoS |
2005-11-16 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
db2fmp process in IBM DB2 Content Manager before 8.2 Fix Pack 10 allows local users to cause a denial of service (CPU consumption) by importing a corrupted Microsoft Excel file, aka "CORRUPTED EXEL FILE WILL CAUSE TEXT SEARCH PROCESS LOOPING." |
|
50 |
CVE-2005-3289 |
|
|
|
2005-10-23 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
LSCFG in IBM AIX 5.2 and 5.3 does not create temporary files securely, which allows local users to corrupt /etc/passwd and possibly other system files via the trace file. |
