CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1151 264 +Priv 2017-03-20 2017-03-23
6.8
None Remote Medium Not required Partial Partial Partial
IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID Connect (OIDC) configured with a Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. IBM Reference #: 1999293.
2 CVE-2016-9994 89 Sql 2017-03-01 2017-03-01
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1976805.
3 CVE-2016-9993 89 Sql 2017-03-01 2017-03-01
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1992067.
4 CVE-2016-9992 89 Sql 2017-03-01 2017-03-01
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1992067.
5 CVE-2016-9975 352 CSRF 2017-02-24 2017-03-01
6.8
None Remote Medium Not required Partial Partial Partial
IBM Jazz for Service Management 1.1.2.1 and 1.1.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1998714.
6 CVE-2016-9729 287 2017-03-07 2017-03-08
6.4
None Remote Low Not required Partial Partial None
IBM QRadar 7.2 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM Reference #: 1999545.
7 CVE-2016-9693 20 Bypass 2017-03-07 2017-03-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655.
8 CVE-2016-8998 119 Exec Code Overflow 2017-02-24 2017-03-01
6.0
None Remote Medium Single system Partial Partial Partial
IBM Tivoli Storage Manager Server 7.1 could allow an authenticated user with TSM administrator privileges to cause a buffer overflow using a specially crafted SQL query and execute arbitrary code on the server. IBM Reference #: 1998747.
9 CVE-2016-8971 119 Overflow 2017-03-07 2017-03-09
6.8
None Remote Low Single system None None Complete
IBM WebSphere MQ 8.0 could allow an authenticated user with queue manager permissions to cause a segmentation fault which would result in the box having to be rebooted to resume normal operations. IBM Reference #: 1998663.
10 CVE-2016-8941 352 CSRF 2017-02-01 2017-02-13
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Storage Productivity Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
11 CVE-2016-8932 284 Exec Code 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
12 CVE-2016-8931 284 Exec Code 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
13 CVE-2016-8930 89 Sql 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
14 CVE-2016-8928 89 Sql 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
15 CVE-2016-8921 434 Exec Code 2017-02-01 2017-02-13
6.5
None Remote Low Single system Partial Partial Partial
IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
16 CVE-2016-6124 434 Exec Code 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
17 CVE-2016-6105 284 2017-02-01 2017-02-10
6.4
None Remote Low Not required Partial Partial None
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 do not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas.
18 CVE-2016-6104 434 Exec Code 2017-02-07 2017-02-13
6.5
None Remote Low Single system Partial Partial Partial
IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute arbitrary code on the vulnerable system.
19 CVE-2016-6103 352 CSRF 2017-02-02 2017-02-07
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
20 CVE-2016-6077 284 Exec Code 2017-02-15 2017-02-17
6.8
None Remote Medium Not required Partial Partial Partial
IBM Cognos Disclosure Management 10.2 could allow a malicious attacker to execute commands as a lower privileged user that opens a malicious document. IBM Reference #: 1991584.
21 CVE-2016-6045 352 CSRF 2017-02-01 2017-02-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
22 CVE-2016-6040 384 2017-02-01 2017-02-08
6.0
None Remote Medium Single system Partial Partial Partial
IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced.
23 CVE-2016-6033 352 CSRF 2017-02-15 2017-02-22
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1995545.
24 CVE-2016-5995 264 +Priv 2016-09-30 2016-11-28
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in IBM DB2 9.7 through FP11, 10.1 through FP5, 10.5 before FP8, and 11.1 GA on Linux, AIX, and HP-UX allows local users to gain privileges via a Trojan horse library that is accessed by a setuid or setgid program.
25 CVE-2016-5990 284 2017-02-01 2017-02-07
6.5
None Remote Low Single system Partial Partial Partial
IBM Security Privileged Identity Manager Virtual Appliance allows an authenticated user to upload malicious files that would be automatically executed by the server.
26 CVE-2016-5983 284 Exec Code 2016-10-05 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object.
27 CVE-2016-5963 284 Exec Code 2016-09-26 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 does not properly validate updates, which allows remote authenticated users to execute arbitrary code via unspecified vectors.
28 CVE-2016-5952 89 Sql 2017-02-01 2017-02-08
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
29 CVE-2016-5939 89 Sql 2017-02-01 2017-02-05
6.5
None Remote Low Single system Partial Partial Partial
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
30 CVE-2016-5937 352 CSRF 2017-02-01 2017-02-08
6.8
None Remote Medium Not required Partial Partial Partial
IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
31 CVE-2016-5934 264 Exec Code 2017-02-08 2017-02-15
6.9
None Local Medium Not required Complete Complete Complete
IBM Tivoli Storage Manager FastBack installer could allow a remote attacker to execute arbitrary code on the system. By placing a specially-crafted DLL in the victim's path, an attacker could exploit this vulnerability when the installer is executed to run arbitrary code on the system with privileges of the victim.
32 CVE-2016-3521 2016-07-21 2016-11-28
6.8
None Remote Low Single system None None Complete
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.
33 CVE-2016-3029 352 CSRF 2017-02-01 2017-02-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
34 CVE-2016-3007 352 CSRF 2016-09-26 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users.
35 CVE-2016-2985 264 +Priv 2016-11-24 2016-11-28
6.9
None Local Medium Not required Complete Complete Complete
IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System (GPFS) 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted environment variables to a /usr/lpp/mmfs/bin/ setuid program.
36 CVE-2016-2984 264 +Priv 2016-11-24 2016-11-28
6.9
None Local Medium Not required Complete Complete Complete
IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System (GPFS) 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program.
37 CVE-2016-2963 352 XSS CSRF 2016-11-30 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM BigFix Remote Control before 9.1.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
38 CVE-2016-2945 264 +Priv 2016-07-07 2016-11-28
6.0
None Remote Medium Single system Partial Partial Partial
The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.
39 CVE-2016-2942 284 2017-02-01 2017-02-13
6.0
None Remote Medium Single system Partial Partial Partial
IBM UrbanCode Deploy could allow an authenticated attacker with special permissions to craft a script on the server in a way that will cause processes to run on a remote UCD agent machine.
40 CVE-2016-2937 20 +Info 2016-11-30 2016-12-06
6.4
None Remote Low Not required Partial Partial None
IBM BigFix Remote Control before 9.1.3 allows remote attackers to obtain sensitive information or spoof e-mail transmission via a crafted POST request, related to an "untrusted information vulnerability."
41 CVE-2016-2933 22 Dir. Trav. 2016-11-30 2016-12-30
6.8
None Remote Low Single system Complete None None
Directory traversal vulnerability in IBM BigFix Remote Control before 9.1.3 allows remote authenticated administrators to read arbitrary files via a crafted request.
42 CVE-2016-2917 264 +Priv +Info 2016-11-30 2016-12-01
6.5
None Remote Low Single system Partial Partial Partial
The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to obtain sensitive password information, and consequently gain privileges, via unspecified vectors.
43 CVE-2016-2908 611 DoS +Info 2017-02-01 2017-02-07
6.4
None Remote Low Not required Partial None Partial
IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
44 CVE-2016-2901 352 XSS CSRF 2016-06-25 2016-08-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the PA_Theme_Creator application in IBM WebSphere Portal 8.5 CF08 through CF10 and Web Content Manager allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
45 CVE-2016-2889 352 CSRF 2016-07-07 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016, 6.0 and 6.0.1 before 6.0.1 ifix005, and 6.0.2 before ifix002 allows remote authenticated users to hijack the authentication of arbitrary users.
46 CVE-2016-2884 352 XSS CSRF 2016-11-30 2016-12-01
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
47 CVE-2016-2881 254 Bypass 2016-11-30 2016-12-01
6.4
None Remote Low Not required Partial Partial None
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 and QRadar Incident Forensics 7.2 before 7.2.7 allow remote attackers to bypass intended access restrictions via modified request parameters.
48 CVE-2016-2878 352 XSS CSRF 2016-11-30 2016-12-22
6.0
None Remote Medium Single system Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
49 CVE-2016-2873 89 Exec Code Sql 2016-11-30 2016-12-22
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
50 CVE-2016-2867 254 2016-07-02 2016-07-06
6.9
None Local Medium Not required Complete Complete Complete
IBM InfoSphere Streams before 4.0.1.2 and IBM Streams before 4.1.1.1 do not properly implement the runAsUser feature, which allows local users to obtain root group privileges via unspecified vectors.
Total number of vulnerabilities : 376   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.