CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-3074 264 +Priv 2014-07-02 2014-07-24
7.2
None Local Low Not required Complete Complete Complete
The runtime linker in IBM AIX 6.1 and 7.1 and VIOS 2.2.x allows local users to create a mode-666 root-owned file, and consequently gain privileges, by setting crafted MALLOCOPTIONS and MALLOCBUCKETS environment-variable values and then executing a setuid program.
2 CVE-2014-0964 399 DoS 2014-05-16 2014-06-21
7.1
None Remote Medium Not required None None Complete
IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 allows remote attackers to cause a denial of service via crafted TLS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool.
3 CVE-2014-0963 399 DoS 2014-05-08 2014-06-21
7.1
None Remote Medium Not required None None Complete
The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IBM Security Access Manager (ISAM) for Web 7.0 before 7.0.0-ISS-SAM-IF0006 and 8.0 before 8.0.0.3-ISS-WGA-IF0002 allows remote attackers to cause a denial of service (infinite loop) via crafted SSL messages.
4 CVE-2014-0943 20 DoS 2014-05-25 2014-06-21
7.1
None Remote Medium Not required None None Complete
IBM WebSphere Commerce 6.0 Feature Pack 2 through Feature Pack 5, 7.0.0.0 through 7.0.0.8, and 7.0 Feature Pack 1 through Feature Pack 7 allows remote attackers to cause a denial of service (resource consumption and daemon crash) via a malformed id parameter in a request.
5 CVE-2014-0918 22 Dir. Trav. 2014-05-16 2014-05-16
7.1
None Remote Medium Not required Complete None None
Directory traversal vulnerability in IBM Eclipse Help System (IEHS) in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF27, and 8.0 before 8.0.0.1 CF06 allows remote attackers to read arbitrary files via a crafted URL.
6 CVE-2014-0907 +Priv 2014-05-30 2014-07-24
7.2
Admin Local Low Not required Complete Complete Complete
Multiple untrusted search path vulnerabilities in unspecified (1) setuid and (2) setgid programs in IBM DB2 9.5, 9.7 before FP9a, 9.8, 10.1 before FP3a, and 10.5 before FP3a on Linux and UNIX allow local users to gain root privileges via a Trojan horse library.
7 CVE-2014-0904 20 Exec Code 2014-03-26 2014-03-26
7.6
None Remote High Not required Complete Complete Complete
The update process in IBM Security AppScan Standard 7.9 through 8.8 does not require integrity checks of downloaded files, which allows remote attackers to execute arbitrary code via a crafted file.
8 CVE-2014-0895 119 Exec Code Overflow 2014-03-16 2014-03-17
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the vsflex8l ActiveX control in IBM SPSS SamplePower 3.0.1 before FP1 3.0.1-IM-S3SAMPC-WIN32-FP001-IF02 allows remote attackers to execute arbitrary code via a crafted ComboList property value.
9 CVE-2014-0887 78 Exec Code 2014-03-25 2014-03-26
7.1
None Remote High Single system Complete Complete Complete
The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before 2.8.1-22905 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.
10 CVE-2014-0886 78 Exec Code Bypass 2014-03-25 2014-03-26
7.1
None Remote High Single system Complete Complete Complete
The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before 2.8.1-22905 allows remote authenticated users to bypass intended access restrictions and execute arbitrary commands via unspecified vectors.
11 CVE-2014-0880 DoS 2014-03-28 2014-03-31
7.5
None Remote Low Not required Partial Partial Partial
IBM SAN Volume Controller; Storwize V3500, V3700, V5000, and V7000; and Flex System V7000 with software 6.3 and 6.4 before 6.4.1.8, and 7.1 and 7.2 before 7.2.0.3, allow remote attackers to obtain CLI access, and consequently cause a denial of service, via unspecified traffic to the administrative IP address.
12 CVE-2014-0838 Exec Code 2014-01-30 2014-02-06
7.5
None Remote Low Not required Partial Partial Partial
The AutoUpdate package before 6.4 for IBM Security QRadar SIEM 7.2 MR1 and earlier allows remote attackers to execute arbitrary console commands by leveraging control of the server.
13 CVE-2014-0822 DoS 2014-02-06 2014-02-07
7.8
None Remote Low Not required None None Complete
The IMAP server in IBM Domino 8.5.x before 8.5.3 FP6 IF1 and 9.0.x before 9.0.1 FP1 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors, aka SPR KLYH9F4S2Z.
14 CVE-2013-6749 119 Exec Code Overflow 2014-01-29 2014-02-06
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different vulnerability than CVE-2013-6748.
15 CVE-2013-6748 119 Exec Code Overflow 2014-01-29 2014-02-06
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different vulnerability than CVE-2013-6749.
16 CVE-2013-6747 20 DoS 2014-01-27 2014-02-06
7.1
None Remote Medium Not required None None Complete
IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of service (application crash or hang) via a malformed X.509 certificate chain.
17 CVE-2013-6742 264 2014-02-14 2014-02-21
7.5
None Remote Low Not required Partial Partial Partial
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
18 CVE-2013-6329 310 DoS 2013-12-17 2014-01-23
7.8
None Remote Low Not required None None Complete
IBM Global Security Kit (aka GSKit), as used in Content Manager OnDemand 8.5 and 9.0 and other products, allows remote attackers to cause a denial of service via a crafted handshake during resumption of an SSLv2 session.
19 CVE-2013-6321 89 Exec Code Sql 2014-01-10 2014-01-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, Disposal and Governance Management for IT 6.0.1.5 and earlier and 6.0.2, and Global Retention Policy and Schedule Management 6.0.1.5 and earlier and 6.0.2 in IBM Atlas Suite (aka Atlas Policy Suite) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
20 CVE-2013-5428 264 DoS 2013-10-22 2013-10-22
7.1
None Remote Medium Not required None None Complete
IBM WebSphere DataPower XC10 appliances 2.5.0 do not require authentication for all administrative actions, which allows remote attackers to cause a denial of service via unspecified vectors.
21 CVE-2013-5416 +Priv 2013-12-18 2013-12-18
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in IBM Rational ClearCase through 7.1.2.12, 8.0.0.x before 8.0.0.9, and 8.0.1.x before 8.0.1.2 allows local users to gain privileges via unknown vectors.
22 CVE-2013-5415 119 Overflow +Priv 2013-12-18 2013-12-18
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in IBM Rational ClearCase through 7.1.2.12, 8.0.0.x before 8.0.0.9, and 8.0.1.x before 8.0.1.2 allows local users to gain privileges via unspecified vectors.
23 CVE-2013-5395 Bypass 2013-10-01 2013-10-10
7.5
None Remote Low Not required Partial Partial Partial
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, and 7.5 before 7.5.0.5 allows remote attackers to bypass intended access restrictions via unspecified vectors.
24 CVE-2013-5393 2013-10-16 2013-10-16
7.5
None Remote Low Not required Partial Partial Partial
The monitoring console in IBM WebSphere eXtreme Scale 7.1.0, 7.1.1, 8.5.0, and 8.6.0 does not properly process logoff actions, which has unspecified impact and remote attack vectors.
25 CVE-2013-4068 119 Exec Code Overflow 2013-09-20 2013-09-23
7.1
None Remote High Single system Complete Complete Complete
Buffer overflow in iNotes in IBM Domino 8.5.3 before FP5 IF1 and 9.0 before IF4 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka SPR PTHN9ADPA8.
26 CVE-2013-4011 +Priv 2013-07-18 2013-12-05
7.2
None Local Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the InfiniBand subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allow local users to gain privileges via vectors involving (1) arp.ib or (2) ibstat.
27 CVE-2013-4002 2013-07-23 2014-03-05
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors.
28 CVE-2013-3983 20 2014-02-14 2014-02-18
7.5
None Remote Low Not required Partial Partial Partial
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 does not validate URLs in Cookie headers before using them in redirects, which has unspecified impact and remote attack vectors.
29 CVE-2013-3475 119 Overflow +Priv 2013-06-04 2013-06-05
7.2
None Local Low Not required Complete Complete Complete
Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 and DB2 Connect 9.1, 9.5, 9.7, 9.8, and 10.1, as used in Smart Analytics System 7600 and other products, allows local users to gain privileges via unspecified vectors.
30 CVE-2013-3035 20 DoS 2013-06-21 2013-12-05
7.1
None Remote Medium Not required None None Complete
The IPv6 implementation in the inet subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allows remote attackers to cause a denial of service (system hang) via a crafted packet to an IPv6 interface.
31 CVE-2013-2974 264 Sql Bypass 2014-01-29 2014-01-29
7.5
None Remote Low Not required Partial Partial Partial
The BIRT viewer in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1.x before 7.2.1.5 allows remote authenticated users to bypass authorization checks and obtain report-administration privileges, and consequently create or delete reports or conduct SQL injection attacks, via crafted parameters to the BIRT reporting URL.
32 CVE-2013-2964 119 Overflow +Priv 2013-10-04 2013-10-04
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in dsmtca in IBM Tivoli Storage Manager (TSM) through 5.5.4.0, 6.1.0 through 6.1.5.4, 6.2.0 through 6.2.4.7, and 6.3.0 through 6.3.0.17 on UNIX and Linux allows local users to gain privileges via unspecified vectors.
33 CVE-2013-2956 89 Exec Code Sql 2013-05-27 2013-05-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Console in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, and 9.x before 9.1.0.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
34 CVE-2013-0536 264 Exec Code +Priv 2013-06-21 2013-06-24
7.2
None Local Low Not required Complete Complete Complete
ntmulti.exe in the Multi User Profile Cleanup service in IBM Notes 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3 before FP5, and 9.0 before IF2 allows local users to gain privileges via vectors that arrange for code to be executed during the next login session of a different user, aka SPR PJOK959J24.
35 CVE-2013-0513 +Priv 2013-03-29 2013-03-29
7.2
None Local Low Not required Complete Complete Complete
IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 create a service that lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program, related to an "Unquoted Service Path Enumeration" vulnerability.
36 CVE-2013-0509 119 Exec Code Overflow 2013-06-04 2013-06-05
7.6
None Remote High Not required Complete Complete Complete
Buffer overflow in the Transaction MIB agent in IBM Tivoli Netcool System Service Monitors (SSM) and Application Service Monitors (ASM) 4.0.0 before FP14 allows remote attackers to execute arbitrary code via a SQL transaction with a long table name that is not properly handled by a packet decoder.
37 CVE-2013-0508 119 DoS Exec Code Overflow 2013-06-04 2013-06-05
7.6
None Remote High Not required Complete Complete Complete
Multiple buffer overflows in IBM Tivoli Netcool System Service Monitors (SSM) and Application Service Monitors (ASM) 4.0.0 before FP14 and 4.0.1 before FP1 allow context-dependent attackers to execute arbitrary code or cause a denial of service via a long line in (1) hrfstable.idx, (2) hrdevice.idx, (3) hrstorage.idx, or (4) lotusmapfile in the SSM Config directory, or (5) .manifest.hive in the main agent directory.
38 CVE-2013-0490 +Priv 2013-02-27 2013-02-28
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in IBM InfoSphere Guardium S-TAP 8.1 for DB2 on z/OS allows local users to gain privileges via unknown vectors.
39 CVE-2012-6354 287 Bypass 2013-02-19 2013-02-20
7.5
None Remote Low Not required Partial Partial Partial
The management GUI on the IBM SAN Volume Controller and Storwize V7000 6.x before 6.4.1.3 allows remote attackers to bypass authentication and obtain superuser access via IP packets.
40 CVE-2012-5951 264 +Priv 2012-12-26 2013-03-11
7.2
Admin Local Low Not required Complete Complete Complete
Unspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, and 6.1 on z/OS allows local users to gain privileges by leveraging access to the normal Unix System Services (USS) security level.
41 CVE-2012-5938 264 Bypass 2013-03-20 2013-03-21
7.2
None Local Low Not required Complete Complete Complete
The installation process in IBM InfoSphere Information Server 8.1, 8.5, 8.7, and 9.1 on UNIX and Linux sets incorrect permissions and ownerships for unspecified files, which allows local users to bypass intended access restrictions via standard filesystem operations.
42 CVE-2012-5758 287 DoS 2012-11-23 2013-05-29
7.8
None Remote Low Not required None None Complete
The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors.
43 CVE-2012-4859 2012-12-21 2012-12-24
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in IBM Tivoli Storage Manager for Space Management (aka TSM HSM) before 6.2.5.0 and 6.3.x before 6.3.1.0 allows local users to read or modify file system objects via unknown vectors.
44 CVE-2012-4856 255 Exec Code 2012-12-20 2013-01-29
7.9
None Local Network Medium Not required Complete Complete Complete
The Service Processor in the IBM Power 5 91##-### and 940#-### before SF240_418_382 does not ensure that firewall code is executed, which allows remote attackers to execute arbitrary code via unspecified vectors.
45 CVE-2012-4850 20 +Priv 2012-11-14 2013-02-25
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, when JAX-RS is used, does not properly validate requests, which allows remote attackers to gain privileges via unspecified vectors.
46 CVE-2012-4816 264 Bypass 2012-12-26 2013-01-11
7.5
None Remote Low Not required Partial Partial Partial
IBM Rational Automation Framework (RAF) 3.x through 3.0.0.5 allows remote attackers to bypass intended Env Gen Wizard (aka Environment Generation Wizard) access restrictions by visiting context roots in HTTP sessions on port 8080.
47 CVE-2012-2203 264 2012-08-08 2013-08-17
7.5
None Remote Low Not required Partial Partial Partial
IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM Rational Directory Server, IBM Tivoli Directory Server, and other products, uses the PKCS #12 file format for certificate objects without enforcing file integrity, which makes it easier for remote attackers to spoof SSL servers via vectors involving insertion of an arbitrary root Certification Authority (CA) certificate.
48 CVE-2012-2200 264 +Priv 2012-06-27 2013-03-21
7.2
None Local Low Not required Complete Complete Complete
The default configuration of sendmail in IBM AIX 6.1 and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, allows local users to gain privileges by entering a command in a .forward file in a home directory.
49 CVE-2012-2197 119 Exec Code Overflow 2012-07-25 2012-07-30
7.1
None Remote High Single system Complete Complete Complete
Stack-based buffer overflow in the Java Stored Procedure infrastructure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote authenticated users to execute arbitrary code by leveraging certain CONNECT and EXECUTE privileges.
50 CVE-2012-2188 264 +Priv 2012-08-06 2012-08-07
7.2
None Local Low Not required Complete Complete Complete
IBM Power Hardware Management Console (HMC) 7R3.5.0 before SP4, 7R7.1.0 and 7R7.2.0 before 7R7.2.0 SP3, and 7R7.3.0 before SP2, and Systems Director Management Console (SDMC) 6R7.3.0 before SP2, does not properly restrict the VIOS viosrvcmd command, which allows local users to gain privileges via vectors involving a (1) $ (dollar sign) or (2) & (ampersand) character.
Total number of vulnerabilities : 375   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.