CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-0209 79 XSS 2016-01-27 2016-01-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF09 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2 CVE-2016-0201 200 +Info 2016-01-18 2016-01-21
4.3
None Remote Medium Not required Partial None None
GSKit in IBM Security Network Protection 5.3.1 before 5.3.1.7 and 5.3.2 allows remote attackers to discover credentials by triggering an MD5 collision.
3 CVE-2015-7487 200 +Info 2016-01-27 2016-01-27
4.9
None Local Low Not required Complete None None
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 IFIX002, and 7.6.0 before 7.6.0.3 IFIX001; Maximo Asset Management 7.5.0 before 7.5.0.9 IFIX002, 7.5.1, and 7.6.0 before 7.6.0.3 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow local users to obtain sensitive information by leveraging administrative privileges and reading log files.
4 CVE-2015-7469 264 Bypass 2016-01-17 2016-01-21
4.0
None Remote Low Single system None Partial None
Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to bypass intended read-only restrictions by leveraging a JazzGuest role.
5 CVE-2015-7468 264 Bypass 2016-01-17 2016-01-21
4.0
None Remote Low Single system None Partial None
Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to bypass intended restrictions on administrator tasks via unspecified vectors.
6 CVE-2015-7466 74 Bypass 2016-01-09 2016-01-11
4.0
None Remote Low Single system None Partial None
Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended query restrictions or modify the LDAP directory, via unspecified vectors.
7 CVE-2015-7456 200 +Info 2016-01-01 2016-01-06
4.0
None Remote Low Single system Partial None None
IBM Spectrum Scale 4.1.1 before 4.1.1.4, and 4.2.0.0, allows remote authenticated users to discover object-storage admin passwords via unspecified vectors.
8 CVE-2015-7452 200 +Info 2016-01-02 2016-01-06
4.0
None Remote Low Single system Partial None None
IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6.0.3 FP3 and Maximo Asset Management 7.5 before 7.5.0.9 FP9, 7.5.1, and 7.6 before 7.6.0.3 FP3 for SmartCloud Control Desk allow remote authenticated users to obtain sensitive information via the REST API.
9 CVE-2015-7441 17 +Info 2015-12-31 2016-01-05
4.9
None Remote Medium Single system Partial Partial None
Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.2 does not properly use SSL for its HTTPS connection, which allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
10 CVE-2015-7439 79 XSS 2016-01-27 2016-01-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in InfoSphere Data Architect (IDA), as distributed in IBM Rational Software Architect 8.5 through 9.5, Rational Software Architect for WebSphere Software (RSA4WS) 8.5 through 9.5, and Rational Software Architect RealTime (RSART) 8.5 through 9.5, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
11 CVE-2015-7431 79 XSS 2016-01-02 2016-01-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Queue Watcher in IBM Sterling B2B Integrator 5.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
12 CVE-2015-7429 200 +Info 2016-01-02 2016-01-06
4.0
None Remote Low Single system None Partial None
The Data Protection extension in the VMware GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 7.1 before 7.1.4 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 4.1 before 4.1.4 allows remote authenticated users to restore arbitrary virtual machines and consequently obtain sensitive information by visiting the vSphere inventory.
13 CVE-2015-7413 79 XSS 2015-12-21 2015-12-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF19 and 8.5.0 through CF08 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
14 CVE-2015-7395 284 Bypass 2015-11-07 2015-11-09
4.0
None Remote Low Single system None Partial None
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX005, and 7.6.0 before 7.6.0.2 FP002; Maximo Asset Management 7.5.0 before 7.5.0.8 IFIX005, 7.5.1, and 7.6.0 before 7.6.0.2 FP002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow remote authenticated users to bypass intended work-order change restrictions via unspecified vectors.
15 CVE-2015-5051 264 Bypass 2016-01-03 2016-01-06
4.0
None Remote Low Single system Partial None None
IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.2 IF1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.2 IF1 for SmartCloud Control Desk allow remote authenticated users to bypass intended access restrictions on query results via unspecified vectors.
16 CVE-2015-5024 200 +Info 2015-10-05 2015-10-07
4.0
None Remote Low Single system Partial None None
IBM Emptoris Sourcing 10.0.2.0 before iFix6, 10.0.2.2 before iFix11, 10.0.2.3, 10.0.2.5 before iFix4, 10.0.2.6 before iFix8, 10.0.2.7 before iFix1, and 10.0.4.x before iFix2 allows remote authenticated users to obtain sensitive supplier-bid information via unspecified vectors.
17 CVE-2015-5022 200 +Info 2015-10-05 2015-10-07
4.3
None Remote Medium Not required Partial None None
IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B Advanced Communications 1.0.0.2 and 1.0.0.3 before 1.0.0.3_2, when access by guests is enabled, place an internal hostname and a payload path in a response, which allows remote authenticated users to obtain sensitive information by leveraging a trading-partner relationship and reading response fields.
18 CVE-2015-5020 264 Bypass 2016-01-02 2016-01-06
4.0
None Remote Low Single system None Partial None
The Big SQL component in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0.0.2, and 4.0 allows remote authenticated users to bypass intended access restrictions and truncate arbitrary tables via unspecified vectors.
19 CVE-2015-5008 79 XSS 2016-01-18 2016-01-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through FP11, 6.0 Feature Pack 4, 7.0 through FP9, 7.0 Feature Pack 5 through 8, and 8.0 before 8.0.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
20 CVE-2015-5004 200 +Info 2015-12-15 2015-12-16
4.0
None Remote Low Single system Partial None None
The Edge Component Caching Proxy in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.12 and 8.5 before 8.5.5.8 does not properly encrypt data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
21 CVE-2015-5002 79 XSS 2016-01-18 2016-01-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Host On-Demand 11.0 through 11.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
22 CVE-2015-4998 79 XSS 2015-12-21 2015-12-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF19, and 8.5.0 before CF08 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-4993.
23 CVE-2015-4993 79 XSS 2015-12-21 2015-12-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF19, and 8.5.0 before CF08 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-4998.
24 CVE-2015-4980 200 +Info 2015-09-14 2015-09-15
4.0
None Remote Low Single system Partial None None
Unspecified vulnerability in IBM WebSphere Commerce 7.0.0.6 through 7.0.0.9 allows remote authenticated users to obtain sensitive personal information via unknown vectors.
25 CVE-2015-4973 79 XSS 2015-10-05 2015-10-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B Advanced Communications 1.0.0.2 and 1.0.0.3 before 1.0.0.3_2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
26 CVE-2015-4965 200 +Info 2015-10-05 2015-10-06
4.0
None Remote Low Single system Partial None None
maximouiweb/webmodule/webclient/utility/merlin.jsp in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX004, and 7.6.0 before 7.6.0.1 IFIX002; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX004 and 7.6.0 before 7.6.0.1 IFIX002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to obtain sensitive information by reading a (1) backup or (2) debug application file.
27 CVE-2015-4959 79 XSS 2016-01-18 2016-01-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
28 CVE-2015-4950 200 +Info 2015-08-23 2015-08-24
4.0
None Remote Low Single system Partial None None
The mailbox-restore feature in IBM Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1 before 6.1.3.6, 6.3 before 6.3.1.3, 6.4 before 6.4.1.4, and 7.1 before 7.1.0.2; Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1 before 3.1.1.5, 3.2 before 3.2.1.7, and 4.1 before 4.1.1; and Tivoli Storage Manager FastBack for Microsoft Exchange 6.1 before 6.1.5.4 does not ensure that the correct mailbox is selected, which allows remote authenticated users to obtain sensitive information via a duplicate alias name.
29 CVE-2015-4939 79 XSS 2015-10-05 2015-10-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Supplier Lifecycle Management and Emptoris Program Management 10.x before 10.0.1.4_iFix3, 10.0.2.x before 10.0.2.7_iFix1, 10.0.3.x before 10.0.3.2, and 10.0.4.x before 10.0.4.0_iFix1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
30 CVE-2015-4929 200 Bypass +Info 2015-10-10 2015-10-13
4.0
None Remote Low Single system Partial None None
IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Software Use Analysis 9 before 9.2.1.0 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information via a REST API request.
31 CVE-2015-2808 310 2015-03-31 2015-08-17
4.3
None Remote Medium Not required Partial None None
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
32 CVE-2015-2029 2015-10-03 2015-10-05
4.3
None Remote Medium Not required None Partial None
Session fixation vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote attackers to hijack web sessions via a session identifier.
33 CVE-2015-2028 Http R.Spl. 2015-10-03 2015-10-05
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
34 CVE-2015-2025 200 +Info 2015-10-03 2015-10-05
4.3
None Remote Medium Not required Partial None None
IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
35 CVE-2015-2017 Http R.Spl. 2015-11-08 2015-11-09
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
36 CVE-2015-2015 79 XSS 2015-08-22 2015-08-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pubnames.ntf (aka the Directory template) in the web server in IBM Domino before 9.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYH8WBPRN.
37 CVE-2015-2007 22 Dir. Trav. 2016-01-02 2016-01-07
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in IBM Security QRadar SIEM 7.2.x before 7.2.5 Patch 6 allows remote authenticated users to read arbitrary files via a crafted URL.
38 CVE-2015-1995 79 XSS 2015-11-08 2015-11-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 allow remote attackers to inject arbitrary web script or HTML via a crafted URL.
39 CVE-2015-1984 264 Bypass 2015-07-19 2015-07-20
4.0
None Remote Low Single system Partial None None
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to bypass intended access restrictions and read arbitrary profiles via unspecified vectors, as demonstrated by discovering usernames for use in brute-force attacks.
40 CVE-2015-1982 200 +Info 2015-07-19 2015-07-20
4.0
None Remote Low Single system Partial None None
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to obtain sensitive information via a crafted request, which reveals the full path in an error message.
41 CVE-2015-1978 79 XSS 2015-06-28 2015-06-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
42 CVE-2015-1972 200 +Info 2015-06-28 2015-06-29
4.3
None Remote Medium Not required Partial None None
IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 allows remote attackers to obtain sensitive error-log information via a crafted POST request.
43 CVE-2015-1967 200 +Info 2015-07-01 2015-07-01
4.3
None Remote Medium Not required Partial None None
MQ Explorer in IBM WebSphere MQ before 8.0.0.3 does not recognize the absence of the compatibility-mode option, which allows remote attackers to obtain sensitive information by sniffing the network for a session in which TLS is not used.
44 CVE-2015-1966 79 XSS 2015-07-04 2015-07-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafted URL, related to the (1) ERROR_DESCRIPTION and (2) TOKEN:RelayState macros.
45 CVE-2015-1959 284 +Info 2015-06-28 2015-06-29
4.6
None Local Low Not required Partial Partial Partial
IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have unspecified other impact via a (1) download or (2) upload action.
46 CVE-2015-1950 255 Bypass 2015-07-01 2015-07-01
4.6
None Local Low Not required Partial Partial Partial
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.
47 CVE-2015-1946 264 +Priv 2015-07-14 2015-07-16
4.4
None Local Medium Not required Partial Partial Partial
IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 before 7.0.0.6 for WebSphere Application Server (WAS) 7.0 and 8.0, does not properly implement user roles, which allows local users to gain privileges via unspecified vectors.
48 CVE-2015-1919 79 XSS 2015-06-30 2015-07-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Security QRadar Incident Forensics before 7.2.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
49 CVE-2015-1917 79 XSS 2015-07-14 2015-07-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Active Content Filtering component in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF17, and 8.5.0 before CF06 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
50 CVE-2015-1915 200 +Info 2015-05-24 2015-05-26
4.3
None Remote Medium Not required Partial None None
The Endpoint Manager for Remote Control component in IBM Tivoli Endpoint Manager for Lifecycle Management 9.0.1 before IF6 and 9.1.0 before IF6 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
Total number of vulnerabilities : 694   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.