CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities Published In 2011

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2011-4708 79 XSS 2011-12-08 2012-01-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Asset Manager before 7.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2 CVE-2011-4668 94 Exec Code 2011-12-02 2011-12-12
7.5
None Remote Low Not required Partial Partial Partial
IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote attackers to execute arbitrary code via vectors related to an unspecified CGI program used with the Apache HTTP Server.
3 CVE-2011-4465 79 XSS 2011-11-18 2012-02-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Lotus Mobile Connect (LMC) 6.1.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to a hidden redirect URL.
4 CVE-2011-4435 264 +Info 2011-11-11 2011-12-12
5.0
None Remote Low Not required Partial None None
The web-server component in the Consolidation and Analysis Engine (CAE) Server in DB2 Query Monitor in IBM DB2 Tools 2.3.0 for z/OS does not prevent directory browsing, which allows remote attackers to obtain sensitive information via HTTP requests.
5 CVE-2011-4171 79 XSS 2011-10-24 2011-10-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in content/error.jsp in IBM WebSphere ILOG Rule Team Server 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the project parameter to teamserver/faces/home.jsp.
6 CVE-2011-4061 +Priv 2011-10-17 2012-02-13
6.9
None Local Medium Not required Complete Complete Complete
Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header.
7 CVE-2011-3982 399 DoS 2011-10-04 2012-05-14
2.1
None Local Low Not required None None Partial
The Fibre Channel driver for QLogic adapters in IBM AIX 6.1 and 7.1 does not properly handle DMA resource limitations, which allows local users to cause a denial of service (system hang) via vectors that generate a large amount of DMA I/O, related to a deadlock in timer processing across CPUs.
8 CVE-2011-3577 287 2011-09-20 2012-05-31
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.3 does not properly implement Activity Token authentication for Web Services, which has unspecified impact and attack vectors.
9 CVE-2011-3576 79 XSS 2011-09-19 2011-09-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Lotus Domino 8.5.2 allows remote attackers to inject arbitrary web script or HTML via the PanelIcon parameter in an fmpgPanelHeader ReadForm action to WebAdmin.nsf.
10 CVE-2011-3575 119 Exec Code Overflow 2011-09-19 2011-09-22
9.0
None Remote Low Single system Complete Complete Complete
Stack-based buffer overflow in the NSFComputeEvaluateExt function in Nnotes.dll in IBM Lotus Domino 8.5.2 allows remote authenticated users to execute arbitrary code via a long tHPRAgentName parameter in an fmHttpPostRequest OpenForm action to WebAdmin.nsf.
11 CVE-2011-3391 264 2011-09-08 2011-09-09
4.0
None Remote Low Single system Partial None None
IBM Rational Build Forge 7.1.2 relies on client-side JavaScript code to enforce the EditSecurity permission requirement for the Export Key File function, which allows remote authenticated users to read a key file by removing a disable attribute in the Security sub-menu.
12 CVE-2011-3390 79 XSS 2011-09-06 2011-09-21
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in index.php in IBM OpenAdmin Tool (OAT) before 2.72 for Informix allow remote attackers to inject arbitrary web script or HTML via the (1) informixserver, (2) host, or (3) port parameter in a login action.
13 CVE-2011-3387 20 DoS 2011-09-02 2011-10-25
4.0
None Remote Low Single system None None Partial
The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote authenticated users to cause a denial of service (memory consumption or an infinite loop) via a crafted attribute length field in a class file, related to validation of a length field at the wrong time, a different vulnerability than CVE-2011-0311.
14 CVE-2011-3140 264 Bypass 2011-08-15 2011-09-21
5.0
None Remote Low Not required None Partial None
IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server.
15 CVE-2011-3138 Bypass 2011-08-12 2011-09-06
5.0
None Remote Low Not required None Partial None
The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.
16 CVE-2011-3137 2011-08-12 2011-09-06
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Management Console in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors, aka APAR IV03050.
17 CVE-2011-3136 2011-08-12 2012-04-25
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Management Console in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors, aka APAR IV03048.
18 CVE-2011-3135 2011-08-12 2011-09-06
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Runtime in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors.
19 CVE-2011-3124 264 +Priv 2011-08-10 2012-06-15
7.2
None Local Low Not required Complete Complete Complete
IBM InfoSphere Information Server 8.5 and 8.5.0.1 on Unix and Linux, as used in IBM InfoSphere DataStage 8.5 and 8.5.0.1 and other products, assigns incorrect ownership to unspecified files, which allows local users to gain privileges via unknown vectors.
20 CVE-2011-3123 264 +Priv 2011-08-10 2012-06-15
7.2
None Local Low Not required Complete Complete Complete
IBM InfoSphere Information Server 8.5 and 8.5.0.1 on Unix and Linux, as used in IBM InfoSphere DataStage 8.5 and 8.5.0.1 and other products, uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.
21 CVE-2011-2893 399 DoS 2011-07-27 2011-08-11
4.3
None Remote Medium Not required None None Partial
The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference.
22 CVE-2011-2888 399 DoS 2011-07-27 2013-09-12
4.3
None Remote Medium Not required None None Partial
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation.
23 CVE-2011-2887 399 DoS 2011-07-27 2011-08-11
4.3
None Remote Medium Not required None None Partial
IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document.
24 CVE-2011-2886 399 DoS 2011-07-27 2011-08-11
4.3
None Remote Medium Not required None None Partial
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets.
25 CVE-2011-2885 399 DoS 2011-07-27 2011-08-11
4.3
None Remote Medium Not required None None Partial
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar.
26 CVE-2011-2884 2011-07-27 2011-08-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to "critical security vulnerability issues."
27 CVE-2011-2759 200 +Info 2011-07-17 2011-09-06
5.0
None Remote Low Not required Partial None None
The login page of IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
28 CVE-2011-2758 287 +Info 2011-07-17 2011-07-19
5.0
None Remote Low Not required Partial None None
IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not require authentication for access to LDAP Server log files, which allows remote attackers to obtain sensitive information via a crafted URL.
29 CVE-2011-2754 79 XSS 2011-07-17 2011-07-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the PageBuilder2 (aka Page Builder) theme in IBM WebSphere Portal 7.x before 7.0.0.1 CF006, as used in IBM Web Content Manager (WCM) and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
30 CVE-2011-2682 399 DoS 2011-07-07 2011-09-06
4.0
None Remote Low Single system None None Partial
The Login component in IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 allows remote authenticated users to cause a denial of service (license consumption) by trying to login to DOORS Web Access with a new user account that has never been used for a DOORS login.
31 CVE-2011-2681 20 2011-07-07 2011-09-06
10.0
None Remote Low Not required Complete Complete Complete
IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 does not properly handle exceptions, which has unspecified impact and remote attack vectors.
32 CVE-2011-2680 2011-07-07 2013-08-13
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 has unknown impact and remote attack vectors related to the "server error response."
33 CVE-2011-2679 79 XSS 2011-07-07 2011-09-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
34 CVE-2011-2607 79 XSS 2011-06-30 2011-07-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165513.
35 CVE-2011-2606 79 XSS 2011-06-30 2011-07-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165511.
36 CVE-2011-2330 264 2011-06-02 2011-09-21
9.0
None Remote Low Single system Complete Complete Complete
Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 has an unspecified "built-in account" that is "trivially" accessed, which makes it easier for remote attackers to send requests to restricted pages via a session on TCP port 9495, a different vulnerability than CVE-2011-1220.
37 CVE-2011-2173 399 DoS 2011-05-26 2011-09-06
4.0
None Remote Low Single system None None Partial
The implementation of OutputMediator objects in IBM WebSphere Portal 6.0.1.7, and 7.0.0.1 before CF002, allows remote authenticated users to cause a denial of service (memory consumption) via requests.
38 CVE-2011-2172 79 XSS 2011-05-26 2011-06-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the search center in IBM WebSphere Portal 7.0.0.1 before CF004 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
39 CVE-2011-2163 2011-05-20 2011-05-23
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Virtualization Manager 1.2.2 in IBM Systems Director 1.2.2 has unknown impact and attack vectors.
40 CVE-2011-2144 399 DoS 2011-05-16 2011-09-06
5.0
None Remote Low Not required None None Partial
The eDocument Conversion Actions implementation in IBM Datacap Taskmaster Capture 8.0.1 FP1 and earlier allows remote attackers to cause a denial of service (batch abort) via a long subject line in an e-mail message that is represented in a .eml file.
41 CVE-2011-2143 264 2011-05-16 2011-09-06
6.8
None Remote Medium Not required Partial Partial Partial
IBM Datacap Taskmaster Capture 8.0.1 before FP1, when Windows Authentication is enabled, allows remote attackers to obtain login access by using an incorrect password in conjunction with an account name from a different domain.
42 CVE-2011-2142 310 2011-05-16 2011-09-06
5.0
None Remote Low Not required Partial None None
The Web Client Service in IBM Datacap Taskmaster Capture 8.0.1 before FP1 requires a cleartext password, which has unspecified impact and attack vectors.
43 CVE-2011-2141 89 Exec Code Sql 2011-05-16 2011-09-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in TMWeb in IBM Datacap Taskmaster Capture 8.0.1 before FP1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
44 CVE-2011-1847 264 2011-05-03 2012-01-26
4.9
None Remote Medium Single system None Partial Partial
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
45 CVE-2011-1846 264 2011-05-03 2012-01-26
6.5
None Remote Low Single system Partial Partial Partial
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
46 CVE-2011-1839 200 +Info 2011-04-28 2011-05-02
5.0
None Remote Low Not required Partial None None
IBM Rational Build Forge 7.1.0 uses the HTTP GET method during redirection from the authentication servlet to a PHP script, which makes it easier for context-dependent attackers to discover session IDs by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.
47 CVE-2011-1822 255 +Info 2011-04-21 2011-04-21
2.1
None Local Low Not required Partial None None
The LDAP_ADD implementation in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0009 stores a cleartext SHA password in the change log, which might allow local users to obtain sensitive information by reading this log.
48 CVE-2011-1821 399 DoS 2011-04-21 2011-04-21
4.0
None Remote Low Single system None None Partial
IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010 on Windows allows remote authenticated users to cause a denial of service (daemon hang) via a cn=changelog search.
49 CVE-2011-1820 200 +Info 2011-04-21 2011-04-21
1.7
None Local Low Single system Partial None None
IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010, 6.0 before 6.0.0.67 (aka 6.0.0.8-TIV-ITDS-IF0009), 6.1 before 6.1.0.40 (aka 6.1.0.5-TIV-ITDS-IF0003), 6.2 before 6.2.0.16 (aka 6.2.0.3-TIV-ITDS-IF0002), and 6.3 before 6.3.0.3 (aka 6.3.0.0-TIV-ITDS-IF0003) does not properly handle the ibm-auditAttributesOnGroupEvalOp setting for auditing of extended operations, which might allow attackers to obtain sensitive information by reading the audit log.
50 CVE-2011-1683 264 2011-04-13 2011-04-21
6.8
None Remote Medium Not required Partial Partial Partial
IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used, allows remote attackers to obtain unspecified application access via unknown vectors.
Total number of vulnerabilities : 169   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.