| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-0584 |
200 |
|
+Info |
2013-04-23 |
2013-04-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Data Replication Dashboard component in IBM InfoSphere Replication Server 9.7 and 10.x before 10.2.0.0-b113 allows remote attackers to obtain a list of all user accounts, along with information about whether each account requires a password, via unspecified vectors. |
|
2 |
CVE-2013-0544 |
22 |
|
Dir. Trav. |
2013-04-24 |
2013-04-24 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Directory traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux and UNIX allows remote authenticated users to modify data via unspecified vectors. |
|
3 |
CVE-2013-0519 |
200 |
|
+Info |
2013-05-10 |
2013-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 provides web-server version data in (1) an unspecified page title and (2) an unspecified HTTP header field, which allows remote attackers to obtain potentially sensitive information by reading a version string. |
|
4 |
CVE-2013-0505 |
20 |
|
|
2013-03-19 |
2013-03-21 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
IBM Sterling Order Management 8.0 before HF127, 8.5 before HF89, 9.0 before HF69, 9.1.0 before FP41, and 9.2.0 before FP13 allows remote authenticated users to conduct XPath injection attacks, and read arbitrary XML files, via unspecified vectors. |
|
5 |
CVE-2013-0483 |
310 |
|
+Info |
2013-04-05 |
2013-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The login component in SOAP Gateway in IBM IMS Enterprise Suite 1.1, 2.1, and 2.2 uses cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
6 |
CVE-2013-0472 |
|
|
|
2013-02-20 |
2013-02-21 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The Web GUI in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 6.3.1.0 and 6.4 before 6.4.0.1 allows man-in-the-middle attackers to obtain unspecified client access, and consequently obtain unspecified server access, via unknown vectors. |
|
7 |
CVE-2013-0465 |
|
|
DoS +Info |
2013-02-22 |
2013-03-04 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the IBM WebSphere Cast Iron physical and virtual appliance 6.0 and 6.1 before 6.1.0.15 and 6.3 before 6.3.0.1, when LDAP authentication is enabled, allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. |
|
8 |
CVE-2013-0127 |
264 |
|
Exec Code Bypass |
2013-05-01 |
2013-05-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 does not block APPLET elements in HTML e-mail, which allows remote attackers to bypass intended restrictions on Java code execution and X-Confirm-Reading-To functionality via a crafted message, aka SPRs JMOY95BLM6 and JMOY95BN49. |
|
9 |
CVE-2012-6352 |
119 |
|
DoS Overflow |
2013-02-02 |
2013-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Session Manager in IBM Sterling Connect:Direct through 4.1.0.3 on UNIX allows remote attackers to cause a denial of service (daemon crash and disk consumption) via crafted data. |
|
10 |
CVE-2012-5952 |
287 |
|
|
2013-02-20 |
2013-02-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.6, and 8.0 before 8.0.0.2 does not validate Basic Authentication credentials before proceeding to WS-Addressing and WS-Security operations, which allows remote attackers to trigger transmission of unauthenticated messages via unspecified vectors. |
|
11 |
CVE-2012-5770 |
16 |
|
|
2013-03-06 |
2013-03-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The SSL configuration in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.x before 7.2.1.4 supports the MD5 hash algorithm, which makes it easier for man-in-the-middle attackers to spoof servers and decrypt network traffic via a brute-force attack. |
|
12 |
CVE-2012-5769 |
|
|
DoS |
2013-01-01 |
2013-01-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference. |
|
13 |
CVE-2012-5765 |
200 |
|
+Info |
2012-12-20 |
2013-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Web Client (aka CQ Web) in IBM Rational ClearQuest 7.1.2.x before 7.1.2.9 and 8.0.0.x before 8.0.0.5 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a SQL error message. |
|
14 |
CVE-2012-4842 |
399 |
|
|
2013-02-27 |
2013-02-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the web server in IBM Lotus Domino 8.5.x through 8.5.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
15 |
CVE-2012-4841 |
399 |
|
DoS |
2012-11-29 |
2013-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Tivoli Endpoint Manager for Remote Control Broker 8.2 before 8.2.1-TIV-TEMRC821-IF0002 allows remote attackers to cause a denial of service (resource consumption) via unknown vectors. |
|
16 |
CVE-2012-4840 |
94 |
|
|
2013-03-05 |
2013-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows remote attackers to conduct XPath injection attacks, and call XPath extension functions, via unspecified vectors. |
|
17 |
CVE-2012-4834 |
22 |
|
Dir. Trav. |
2012-11-30 |
2013-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in LayerLoader.jsp in the theme component in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF19 and 8.0 before CF03 allows remote attackers to read arbitrary files via a crafted URI. |
|
18 |
CVE-2012-4830 |
|
|
|
2012-10-01 |
2012-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 through 7.0.0.6 allows remote attackers to obtain users' personal data via unknown vectors. |
|
19 |
CVE-2012-4824 |
20 |
|
|
2012-10-08 |
2012-10-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in servlet/traveler in IBM Lotus Notes Traveler 8.5.3 before 8.5.3.3 Interim Fix 1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirectURL parameter. |
|
20 |
CVE-2012-4817 |
|
|
DoS |
2012-09-14 |
2013-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The NFSv4 client implementation in IBM AIX 5.3, 6.1, and 7.1, and VIOS before 2.2.1.4-FP-25 SP-02, does not properly handle GID values, which allows remote attackers to cause a denial of service via unspecified vectors. |
|
21 |
CVE-2012-3330 |
|
|
DoS |
2012-11-14 |
2012-11-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The proxy server in IBM WebSphere Application Server 7.0 before 7.0.0.27, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1, and WebSphere Virtual Enterprise, allows remote attackers to cause a denial of service (daemon outage) via a crafted request. |
|
22 |
CVE-2012-3319 |
200 |
|
+Info |
2012-10-01 |
2013-03-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Rational Business Developer 8.x before 8.0.1.4 allows remote attackers to obtain potentially sensitive information via a connection to a web service created with the Rational Business Developer product. |
|
23 |
CVE-2012-3315 |
287 |
|
Bypass +Info |
2012-11-08 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request. |
|
24 |
CVE-2012-3314 |
20 |
|
Bypass |
2012-10-02 |
2013-01-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, 6.2.1, and 6.2.2 allow remote attackers to establish sessions via a crafted message that leverages (1) a signature-validation bypass for SAML messages containing unsigned elements, (2) incorrect validation of XML messages, or (3) a certificate-chain validation bypass for an XML signature element that contains the signing certificate. |
|
25 |
CVE-2012-3312 |
310 |
|
+Info |
2012-08-29 |
2012-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The datasource definition editor in IBM InfoSphere Guardium 8.2 and earlier, when the save-password setting is enabled, transmits cleartext database credentials, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
26 |
CVE-2012-2199 |
399 |
|
DoS |
2012-09-25 |
2012-09-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The server message channel agent in the queue manager in the server in IBM WebSphere MQ 7.0.1 before 7.0.1.9, 7.1, and 7.5 on Solaris allows remote attackers to cause a denial of service (invalid address alignment exception and daemon crash) via vectors involving a multiplexed channel. |
|
27 |
CVE-2012-2196 |
200 |
|
+Info |
2012-07-25 |
2012-08-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to read arbitrary XML files via the (1) GET_WRAP_CFG_C or (2) GET_WRAP_CFG_C2 stored procedure. |
|
28 |
CVE-2012-2194 |
22 |
|
Dir. Trav. |
2012-07-25 |
2012-07-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in the SQLJ.DB2_INSTALL_JAR stored procedure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to replace JAR files via unspecified vectors. |
|
29 |
CVE-2012-2191 |
20 |
|
DoS |
2012-08-08 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM Rational Directory Server, IBM Tivoli Directory Server, and other products, does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack, which allows remote attackers to cause a denial of service (application crash) via crafted values in the TLS Record Layer, a different vulnerability than CVE-2012-2333. |
|
30 |
CVE-2012-2190 |
310 |
|
DoS |
2012-08-21 |
2012-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1, allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol. |
|
31 |
CVE-2012-2187 |
310 |
|
|
2012-09-25 |
2013-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Remote Supervisor Adapter II firmware for System x3650, x3850 M2, and x3950 M2 1.13 and earlier generates weak RSA keys, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
|
32 |
CVE-2012-2181 |
22 |
|
Dir. Trav. |
2012-07-03 |
2012-07-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the Dojo module in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF14, and 8.0, allows remote attackers to read arbitrary files via a crafted URL. |
|
33 |
CVE-2012-2173 |
255 |
|
+Info |
2012-06-20 |
2012-06-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ODBC driver in IBM Security AppScan Source 7.x and 8.x before 8.6 sends an SHA-1 hash of the connection password during connections to a solidDB database, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
34 |
CVE-2012-2164 |
264 |
|
Bypass |
2012-08-17 |
2012-08-29 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The Web client in IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 allows remote authenticated users to bypass intended access restrictions, and use the Site Administration menu to modify system settings, via a parameter-tampering attack. |
|
35 |
CVE-2012-2159 |
20 |
|
|
2012-06-20 |
2012-06-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
36 |
CVE-2012-1837 |
200 |
|
+Info |
2012-03-21 |
2012-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) webreports, (2) post/create-role, and (3) post/update-role programs in IBM Tivoli Endpoint Manager (TEM) before 8.2 do not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
37 |
CVE-2012-0744 |
200 |
|
+Info |
2012-08-17 |
2012-08-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Rational ClearQuest 7.1.x through 7.1.2.7 and 8.x through 8.0.0.3 allows remote attackers to obtain potentially sensitive information via a request to a (1) snoop, (2) hello, (3) ivt/, (4) hitcount, (5) HitCount.jsp, (6) HelloHTMLError.jsp, (7) HelloHTML.jsp, (8) HelloVXMLError.jsp, (9) HelloVXML.jsp, (10) HelloWMLError.jsp, (11) HelloWML.jsp, or (12) cqweb/j_security_check sample script. |
|
38 |
CVE-2012-0743 |
399 |
|
DoS |
2012-04-22 |
2012-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Tivoli Directory Server (TDS) 6.3 and earlier allows remote attackers to cause a denial of service (daemon crash) via a malformed LDAP paged search request. |
|
39 |
CVE-2012-0741 |
20 |
|
|
2012-12-28 |
2013-01-11 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during use of the Manual Explore Proxy feature, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate. |
|
40 |
CVE-2012-0738 |
20 |
|
|
2012-12-28 |
2013-01-11 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during scanning, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate. |
|
41 |
CVE-2012-0710 |
20 |
|
DoS |
2012-03-20 |
2012-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM DB2 9.1 before FP11, 9.5 before FP9, 9.7 before FP5, and 9.8 before FP4 allows remote attackers to cause a denial of service (daemon crash) via a crafted Distributed Relational Database Architecture (DRDA) request. |
|
42 |
CVE-2012-0703 |
20 |
|
|
2013-01-31 |
2013-01-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Information Services Framework (ISF) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
43 |
CVE-2012-0193 |
20 |
|
DoS |
2012-01-19 |
2012-01-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. |
|
44 |
CVE-2012-0191 |
264 |
|
|
2012-06-22 |
2012-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The web container in IBM Lotus Expeditor 6.1.x and 6.2.x before 6.2 FP5+Security Pack does not properly perform access control for requests, which allows remote attackers to spoof a localhost request origin via crafted headers. |
|
45 |
CVE-2011-4435 |
264 |
|
+Info |
2011-11-11 |
2011-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The web-server component in the Consolidation and Analysis Engine (CAE) Server in DB2 Query Monitor in IBM DB2 Tools 2.3.0 for z/OS does not prevent directory browsing, which allows remote attackers to obtain sensitive information via HTTP requests. |
|
46 |
CVE-2011-3140 |
264 |
|
Bypass |
2011-08-15 |
2011-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server. |
|
47 |
CVE-2011-3138 |
|
|
Bypass |
2011-08-12 |
2011-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. |
|
48 |
CVE-2011-2759 |
200 |
|
+Info |
2011-07-17 |
2011-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The login page of IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. |
|
49 |
CVE-2011-2758 |
287 |
|
+Info |
2011-07-17 |
2011-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not require authentication for access to LDAP Server log files, which allows remote attackers to obtain sensitive information via a crafted URL. |
|
50 |
CVE-2011-2144 |
399 |
|
DoS |
2011-05-16 |
2011-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The eDocument Conversion Actions implementation in IBM Datacap Taskmaster Capture 8.0.1 FP1 and earlier allows remote attackers to cause a denial of service (batch abort) via a long subject line in an e-mail message that is represented in a .eml file. |
