CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1398 601 +Info 2017-07-10 2017-07-17
5.8
None Remote Medium Not required Partial Partial None
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 127385.
2 CVE-2017-1379 200 +Info 2017-06-15 2017-06-22
5.0
None Remote Low Not required Partial None None
IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensitive information, caused by improper handling of requests to the Developer Portal. IBM X-Force ID: 127002.
3 CVE-2017-1328 284 Bypass 2017-06-27 2017-07-05
5.0
None Remote Low Not required None Partial None
IBM API Connect 5.0.0.0 - 5.0.6.0 could allow a remote attacker to bypass security restrictions of the api, caused by improper handling of security policy. By crafting a suitable request, an attacker could exploit this vulnerability to bypass security and use the vulnerable API. IBM X-Force ID: 126230.
4 CVE-2017-1319 326 2017-06-08 2017-07-07
5.0
None Remote Low Not required Partial None None
IBM Tivoli Federated Identity Manager 6.2 is affected by a vulnerability due to a missing secure attribute in encrypted session (SSL) cookie. IBM X-Force ID: 125731.
5 CVE-2017-1292 200 +Info 2017-05-26 2017-05-31
5.0
None Remote Low Not required Partial None None
IBM Maximo Asset Management 7.5 and 7.6 generates error messages that could reveal sensitive information that could be used in further attacks against the system. IBM X-Force ID: 125153.
6 CVE-2017-1267 20 2017-07-21 2017-07-25
5.0
None Remote Low Not required None Partial None
IBM Security Guardium 10.0 and 10.1 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code. IBM X-Force ID: 124742.
7 CVE-2017-1264 287 2017-07-05 2017-07-17
5.0
None Remote Low Not required Partial None None
IBM Security Guardium 10.0 does not prove or insufficiently proves that the actors identity is correct which can lead to exposure of resources or functionality to unintended actors. IBM X-Force ID: 124739.
8 CVE-2017-1254 611 2017-07-05 2017-07-17
5.5
None Remote Low Single system Partial None Partial
IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634.
9 CVE-2017-1224 326 2017-07-19 2017-07-25
5.0
None Remote Low Not required Partial None None
IBM Tivoli Endpoint Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123903.
10 CVE-2017-1223 601 +Info 2017-07-19 2017-07-25
5.8
None Remote Medium Not required Partial Partial None
IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 123902.
11 CVE-2017-1219 611 2017-07-19 2017-07-25
5.5
None Remote Low Single system Partial None Partial
IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.
12 CVE-2017-1197 255 2017-06-15 2017-06-22
5.0
None Remote Low Not required Partial None None
IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.
13 CVE-2017-1196 254 2017-06-07 2017-06-14
5.0
None Remote Low Not required Partial None None
IBM BigFix Compliance (TEMA SUAv1 SCA SCM) 1.9.70 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 123671.
14 CVE-2017-1183 89 Sql 2017-07-17 2017-07-20
5.4
None Local Network Medium Not required Partial Partial Partial
IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) attacker to modify SQL commands to the Portal Server, when default client-server communications, HTTP, are being used. IBM X-Force ID: 123494.
15 CVE-2017-1182 77 Exec Code 2017-07-17 2017-07-20
5.4
None Local Network Medium Not required Partial Partial Partial
IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) attacker to execute arbitrary commands on the system, when default client-server default communications, HTTP, are being used. IBM X-Force ID: 123493.
16 CVE-2016-9879 417 Bypass 2017-01-06 2017-01-10
5.0
None Remote Low Not required None Partial None
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
17 CVE-2016-9738 254 2017-06-27 2017-06-30
5.0
None Remote Low Not required Partial None None
IBM QRadar 7.2 and 7.3 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 119783.
18 CVE-2016-9736 200 +Info 2017-06-08 2017-06-13
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information.
19 CVE-2016-9728 89 Sql 2017-03-07 2017-03-08
5.0
None Remote Low Not required Partial None None
IBM Qradar 7.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM Reference #: 1999543.
20 CVE-2016-9725 200 +Info 2017-03-07 2017-03-08
5.0
None Remote Low Not required Partial None None
IBM QRadar Incident Forensics 7.2 allows for Cross-Origin Resource Sharing (CORS), which is a mechanism that allows web sites to request resources from external sites, avoiding the need to duplicate them. IBM Reference #: 1999539.
21 CVE-2016-9720 200 +Info 2017-03-07 2017-03-09
5.0
None Remote Low Not required Partial None None
IBM QRadar 7.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM Reference #: 1999533.
22 CVE-2016-9710 200 +Info 2017-06-07 2017-06-14
5.0
None Remote Low Not required Partial None None
IBM Predictive Solutions Foundation (formerly PMQ) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a file from the local system, which could allow the attacker to obtain sensitive information. IBM X-Force ID: 119618.
23 CVE-2016-9008 284 2017-02-01 2017-02-13
5.0
None Remote Low Not required None Partial None
IBM UrbanCode Deploy could allow a malicious user to access the Agent Relay ActiveMQ Broker JMX interface and run plugins on the agent.
24 CVE-2016-8982 200 +Info 2017-02-01 2017-07-25
5.0
None Remote Low Not required Partial None None
IBM InfoSphere Information Server stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
25 CVE-2016-8977 200 +Info 2017-02-01 2017-02-13
5.0
None Remote Low Not required Partial None None
IBM BigFix Inventory v9 could disclose sensitive information to an unauthorized user using HTTP GET requests. This information could be used to mount further attacks against the system.
26 CVE-2016-8964 254 2017-07-13 2017-07-19
5.0
None Remote Low Not required Partial None None
IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 118853.
27 CVE-2016-8961 601 +Info 2017-02-01 2017-02-13
5.8
None Remote Medium Not required Partial Partial None
IBM BigFix Inventory v9 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
28 CVE-2016-8951 287 DoS 2017-07-13 2017-07-19
5.0
None Remote Low Not required None None Partial
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to a denial of service attack. An attacker can exploit a vulnerability in the authentication features that could log out users and flood user accounts with emails. IBM X-Force ID: 118838.
29 CVE-2016-8929 89 Sql 2017-02-01 2017-02-07
5.5
None Remote Low Single system None Partial Partial
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
30 CVE-2016-6117 200 +Info 2017-02-01 2017-02-10
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 can be deployed with active debugging code that can disclose sensitive information.
31 CVE-2016-6099 200 +Info 2017-02-02 2017-02-08
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system.
32 CVE-2016-6098 284 2017-06-08 2017-06-13
5.5
None Remote Low Single system Partial Partial None
IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
33 CVE-2016-6095 284 2017-02-02 2017-02-07
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
34 CVE-2016-6093 255 2017-06-08 2017-06-13
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
35 CVE-2016-6087 20 2017-06-07 2017-07-07
5.0
None Remote Low Not required Partial None None
IBM Domino 8.5 and 9.0 could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation. IBM X-Force ID: 117918.
36 CVE-2016-6083 200 +Info 2017-06-27 2017-07-05
5.0
None Remote Low Not required Partial None None
IBM Tivoli Monitoring V6 could allow an unauthenticated user to access SOAP queries that could contain sensitive information. IBM X-Force ID: 117696.
37 CVE-2016-6080 200 +Info 2017-02-01 2017-02-07
5.0
None Remote Low Not required Partial None None
The WebAdmin context for WebSphere Message Broker allows directory listings which could disclose sensitive information to the attacker.
38 CVE-2016-6068 200 +Info 2017-02-01 2017-02-13
5.0
None Remote Low Not required Partial None None
IBM UrbanCode Deploy could allow an authenticated user with access to the REST endpoints to access API and CLI getResource secured role properties.
39 CVE-2016-6027 79 XSS +Info 2016-10-06 2016-11-28
5.8
None Remote Medium Not required Partial Partial None
The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 before 3.4.2.0 iFix 8 and 3.4.3 before 3.4.3.0 iFix 1 does not enable the HSTS protection mechanism, which makes it easier for remote attackers to obtain sensitive information or modify data by leveraging use of HTTP.
40 CVE-2016-6023 22 Dir. Trav. 2016-10-06 2016-11-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 before 3.4.2.0 iFix 8 and 3.4.3 before 3.4.3.0 iFix 1 allows remote attackers to read arbitrary files via a crafted URL.
41 CVE-2016-6020 601 +Info 2017-02-01 2017-02-09
5.8
None Remote Medium Not required Partial Partial None
IBM Sterling B2B Integrator Standard Edition could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
42 CVE-2016-5996 640 2016-09-26 2016-11-28
5.0
None Remote Low Not required Partial None None
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack.
43 CVE-2016-5987 20 +Info 2016-11-30 2016-11-30
5.0
None Remote Low Not required Partial None None
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5 before 7.5.0.10 IF4, and 7.6 before 7.6.0.5 IF3 allows remote attackers to obtain sensitive information via a crafted HTTP request that triggers construction of a runtime error message.
44 CVE-2016-5986 200 +Info 2016-09-30 2016-11-28
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors.
45 CVE-2016-5971 611 DoS 2016-09-26 2016-11-28
5.5
None Remote Low Single system Partial None Partial
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
46 CVE-2016-5968 918 2016-11-24 2016-11-28
5.0
None Remote Low Not required None Partial None
The Replay Server in IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108 FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224 FP3 allows remote attackers to conduct SSRF attacks via unspecified vectors.
47 CVE-2016-5964 284 2017-02-01 2017-02-13
5.0
None Remote Low Not required Partial None None
IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
48 CVE-2016-5959 200 +Info 2017-06-07 2017-06-13
5.0
None Remote Low Not required Partial None None
IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 116136.
49 CVE-2016-5958 200 +Info 2017-02-01 2017-02-07
5.0
None Remote Low Not required Partial None None
IBM Security Privileged Identity Manager could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.
50 CVE-2016-5957 310 +Info 2016-09-26 2016-11-28
5.0
None Remote Low Not required Partial None None
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive information by leveraging a weak algorithm.
Total number of vulnerabilities : 542   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.