CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1171 284 2017-03-31 2017-04-04
4.0
None Remote Low Single system None Partial None
The IBM TRIRIGA Application Platform 3.3, 3,4, and 3,5 contain a vulnerability that could allow an authenticated user to execute Application actions they do not have access to. IBM Reference #: 2001083.
2 CVE-2017-1155 200 +Info 2017-03-20 2017-03-23
4.0
None Remote Low Single system Partial None None
IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to another user's reports using a specially crafted HTTP request. IBM Reference #: 1999754.
3 CVE-2017-1154 200 +Info 2017-03-31 2017-04-04
4.0
None Remote Low Single system Partial None None
IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to files in the local environment which should not be viewed by application users. IBM Reference #: 1999892.
4 CVE-2017-1152 384 2017-04-14 2017-04-21
4.0
None Remote Low Single system Partial None None
IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293.
5 CVE-2017-1142 200 +Info 2017-03-27 2017-03-31
4.0
None Remote Low Single system Partial None None
IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM Reference #: 1998874.
6 CVE-2017-1120 79 XSS 2017-03-27 2017-03-29
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 2000152.
7 CVE-2016-9990 79 XSS 2017-03-31 2017-04-04
4.3
None Remote Medium Not required None Partial None
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998824.
8 CVE-2016-9978 200 +Info 2017-04-20 2017-04-26
4.0
None Remote Low Single system Partial None None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 could allow an authenticated attacker to disclose sensitive information. IBM X-Force ID: 120254.
9 CVE-2016-9748 200 +Info 2017-02-08 2017-02-15
4.0
None Remote Low Single system Partial None None
IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive information in error response messages that could be used for further attacks against the system.
10 CVE-2016-9730 352 CSRF 2017-03-07 2017-03-09
4.3
None Remote Medium Not required None Partial None
IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549.
11 CVE-2016-9723 79 XSS 2017-03-07 2017-03-09
4.3
None Remote Medium Not required None Partial None
IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999534.
12 CVE-2016-9704 79 XSS 2017-02-01 2017-02-09
4.3
None Remote Medium Not required None Partial None
IBM Security Identity Manager Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
13 CVE-2016-9010 254 2017-02-15 2017-03-06
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Message Broker 9.0 and 10.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM Reference #: 1997906.
14 CVE-2016-9009 20 DoS 2017-02-24 2017-03-01
4.0
None Remote Low Single system None None Partial
IBM WebSphere MQ 8.0 could allow an authenticated user with authority to create a cluster object to cause a denial of service to MQ clustering. IBM Reference #: 1998647.
15 CVE-2016-9000 79 XSS 2017-02-01 2017-02-14
4.3
None Remote Medium Not required None Partial None
IBM InfoSphere DataStage is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks.
16 CVE-2016-8986 284 2017-02-22 2017-03-01
4.0
None Remote Low Single system None None Partial
IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager to bring down MQ channels using specially crafted HTTP requests. IBM Reference #: 1998648.
17 CVE-2016-8973 434 2017-03-20 2017-03-23
4.0
None Remote Low Single system None Partial None
IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960.
18 CVE-2016-8966 200 +Info 2017-02-01 2017-02-13
4.3
None Remote Medium Not required Partial None None
IBM BigFix Inventory v9 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
19 CVE-2016-8944 20 2017-02-15 2017-02-17
4.9
None Local Low Not required None None Complete
IBM AIX 7.1 and 7.2 allows a local user to open a file with a specially crafted argument that would crash the system. IBM APARs: IV91488, IV91487, IV91456, IV90234.
20 CVE-2016-8940 200 +Info 2017-03-07 2017-03-14
4.0
None Remote Low Single system Partial None None
IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and 7.1 does not perform sufficient authority checking on SQL queries. As a result, an attacker is able to submit SQL queries that access database tables that are not intended for access or use by administrators. The access of these product specific database tables may allow access to passwords or other sensitive information for the product. IBM Reference #: 1998946.
21 CVE-2016-8936 79 XSS 2017-02-01 2017-02-15
4.3
None Remote Medium Not required None Partial None
IBM Social Rendering Templates for Digital Data Connector is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
22 CVE-2016-8933 22 Dir. Trav. 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Kenexa LMS on Cloud could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary files on the system.
23 CVE-2016-8926 200 +Info 2017-04-14 2017-04-20
4.0
None Remote Low Single system Partial None None
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 could allow a remote attacker to read system files or data that is restricted to authorized users. IBM X-Force ID: 118539.
24 CVE-2016-8923 200 +Info 2017-04-20 2017-04-26
4.0
None Remote Low Single system Partial None None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 contains a vulnerability that would allow an authorized user to obtain sensitive information from the profile of a higher privileged user that they should not have access to. IBM X-Force ID: 118536.
25 CVE-2016-8922 79 XSS 2017-02-01 2017-02-28
4.3
None Remote Medium Not required None Partial None
Exphox WebRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
26 CVE-2016-8918 255 2017-02-01 2017-02-09
4.3
None Remote Medium Not required None Partial None
IBM Integration Bus, under non default configurations, could allow a remote user to authenticate without providing valid credentials.
27 CVE-2016-8915 284 2017-02-22 2017-03-01
4.0
None Remote Low Single system None None Partial
IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager and queue, to deny service to other channels running under the same process. IBM Reference #: 1998649.
28 CVE-2016-8913 22 Dir. Trav. 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
29 CVE-2016-8912 532 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user.
30 CVE-2016-8232 79 XSS 2017-03-01 2017-03-15
4.3
None Remote Medium Not required None Partial None
Document Object Model-(DOM) based cross-site scripting vulnerability in the Advanced Management Module (AMM) versions earlier than 66Z of Lenovo IBM BladeCenter HS22, HS22V, HS23, HS23E, HX5 allows an unauthenticated attacker with access to the AMM's IP address to send a crafted URL that could inject a malicious script to access a user's AMM data such as cookies or other session information.
31 CVE-2016-6126 22 Dir. Trav. 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
32 CVE-2016-6122 200 +Info 2017-02-01 2017-02-08
4.0
None Remote Low Single system Partial None None
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to security questions in a response to authenticated users.
33 CVE-2016-6116 200 +Info 2017-02-02 2017-02-07
4.3
None Remote Medium Not required Partial None None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
34 CVE-2016-6113 79 XSS 2017-02-01 2017-02-05
4.3
None Remote Medium Not required None Partial None
IBM Verse is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
35 CVE-2016-6102 200 +Info 2017-03-27 2017-03-29
4.3
None Remote Medium Not required Partial None None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM Reference #: 2000359.
36 CVE-2016-6096 79 XSS 2017-02-07 2017-02-09
4.3
None Remote Medium Not required None Partial None
IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
37 CVE-2016-6094 200 +Info 2017-02-07 2017-02-09
4.0
None Remote Low Single system Partial None None
IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an error message that includes sensitive information about its environment, users, or associated data.
38 CVE-2016-6062 79 XSS 2017-02-16 2017-02-22
4.3
None Remote Medium Not required None Partial None
IBM Resilient v26.0, v26.1, and v26.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference#: 213457065.
39 CVE-2016-6060 200 +Info 2017-02-15 2017-02-17
4.0
None Remote Low Single system Partial None None
An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 could allow a JazzGuest user to see project names. IBM Reference #: 1995547.
40 CVE-2016-6044 284 2017-02-01 2017-02-09
4.0
None Remote Low Single system None Partial None
IBM Tivoli Storage Manager Operations Center could allow an authenticated attacker to enable or disable the application's REST API, which may let the attacker violate security policy.
41 CVE-2016-6043 384 2017-02-01 2017-02-09
4.4
None Local Medium Not required Partial Partial Partial
Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.
42 CVE-2016-6038 22 Dir. Trav. 2016-09-26 2016-11-28
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in Eclipse Help in IBM Tivoli Lightweight Infrastructure (aka LWI), as used in AIX 5.3, 6.1, and 7.1, allows remote authenticated users to read arbitrary files via a crafted URL.
43 CVE-2016-6034 200 +Info 2017-02-01 2017-02-13
4.0
None Remote Low Single system Partial None None
IBM Tivoli Storage Manager for Virtual Environments (VMware) could disclose the Windows domain credentials to a user with a high level of privileges.
44 CVE-2016-6028 264 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Jazz technology based products might allow an attacker to view work item titles that they do not have privilege to view.
45 CVE-2016-6025 264 2016-10-06 2016-11-28
4.6
None Local Low Not required Partial Partial Partial
The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 before 3.4.2.0 iFix 8 and 3.4.3 before 3.4.3.0 iFix 1 allows remote attackers to obtain access by leveraging an unattended workstation to conduct a post-logoff session-reuse attack involving a modified URL.
46 CVE-2016-6000 79 XSS 2017-02-01 2017-02-08
4.3
None Remote Medium Not required None Partial None
IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
47 CVE-2016-5997 640 2016-09-26 2016-11-28
4.0
None Remote Low Single system None Partial None
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack.
48 CVE-2016-5994 200 +Info 2017-02-01 2017-02-13
4.0
None Remote Low Single system Partial None None
IBM InfoSphere Information Server contains a vulnerability that would allow an authenticated user to browse any file on the engine tier, and examine its contents.
49 CVE-2016-5991 264 +Priv 2016-11-24 2016-11-28
4.4
None Local Medium Not required Partial Partial Partial
IBM Sterling Connect:Direct 4.5.00, 4.5.01, 4.6.0 before 4.6.0.6 iFix008, and 4.7.0 before 4.7.0.4 on Windows allows local users to gain privileges via unspecified vectors.
50 CVE-2016-5988 200 +Info 2017-02-01 2017-02-07
4.0
None Remote Low Single system Partial None None
IBM Security Privileged Identity Manager Virtual Appliance could disclose sensitive information in generated error messages that would be available to an authenticated user.
Total number of vulnerabilities : 881   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.