| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
28351 |
CVE-2016-8998 |
119 |
|
Exec Code Overflow |
2017-02-24 |
2017-03-01 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
IBM Tivoli Storage Manager Server 7.1 could allow an authenticated user with TSM administrator privileges to cause a buffer overflow using a specially crafted SQL query and execute arbitrary code on the server. IBM Reference #: 1998747. |
|
28352 |
CVE-2016-8987 |
200 |
|
+Info |
2017-06-08 |
2017-06-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow an authenticated user to view incorrect item sets that they should not have access to view. |
|
28353 |
CVE-2016-8986 |
284 |
|
|
2017-02-22 |
2017-03-01 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager to bring down MQ channels using specially crafted HTTP requests. IBM Reference #: 1998648. |
|
28354 |
CVE-2016-8982 |
200 |
|
+Info |
2017-02-01 |
2017-07-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM InfoSphere Information Server stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. |
|
28355 |
CVE-2016-8981 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 allows web pages to be stored locally which can be read by another user on the system. |
|
28356 |
CVE-2016-8977 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 could disclose sensitive information to an unauthorized user using HTTP GET requests. This information could be used to mount further attacks against the system. |
|
28357 |
CVE-2016-8975 |
79 |
|
XSS |
2017-07-24 |
2017-08-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118912. |
|
28358 |
CVE-2016-8973 |
434 |
|
|
2017-03-20 |
2017-03-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960. |
|
28359 |
CVE-2016-8971 |
119 |
|
Overflow |
2017-03-07 |
2017-03-09 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
|
IBM WebSphere MQ 8.0 could allow an authenticated user with queue manager permissions to cause a segmentation fault which would result in the box having to be rebooted to resume normal operations. IBM Reference #: 1998663. |
|
28360 |
CVE-2016-8968 |
79 |
|
XSS |
2017-02-15 |
2017-07-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998515. |
|
28361 |
CVE-2016-8967 |
255 |
|
|
2017-02-01 |
2017-02-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 9.2 stores user credentials in plain in clear text which can be read by a local user. |
|
28362 |
CVE-2016-8966 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
|
28363 |
CVE-2016-8964 |
254 |
|
|
2017-07-13 |
2019-05-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 118853. |
|
28364 |
CVE-2016-8963 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory v9 stores potentially sensitive information in log files that could be read by a local user. |
|
28365 |
CVE-2016-8962 |
255 |
|
|
2017-04-26 |
2017-07-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM BigFix Inventory 9.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 118851. |
|
28366 |
CVE-2016-8961 |
601 |
|
+Info |
2017-02-01 |
2017-02-13 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM BigFix Inventory v9 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. |
|
28367 |
CVE-2016-8960 |
264 |
|
|
2017-03-27 |
2017-03-29 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Cognos Business Intelligence 10.2 could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie value from its HTTP request and then reusing it in subsequent requests. IBM Reference #: 1993718. |
|
28368 |
CVE-2016-8953 |
601 |
|
+Info |
2017-07-12 |
2017-07-21 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 118840. |
|
28369 |
CVE-2016-8952 |
79 |
|
XSS |
2017-07-13 |
2017-07-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118839. |
|
28370 |
CVE-2016-8951 |
287 |
|
DoS |
2017-07-13 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to a denial of service attack. An attacker can exploit a vulnerability in the authentication features that could log out users and flood user accounts with emails. IBM X-Force ID: 118838. |
|
28371 |
CVE-2016-8950 |
79 |
|
XSS |
2017-07-12 |
2017-07-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118837. |
|
28372 |
CVE-2016-8949 |
601 |
|
+Info |
2017-08-09 |
2017-08-20 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 118836. |
|
28373 |
CVE-2016-8948 |
79 |
|
XSS |
2017-07-12 |
2017-07-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118835. |
|
28374 |
CVE-2016-8947 |
601 |
|
+Info |
2017-07-12 |
2017-07-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 118834 |
|
28375 |
CVE-2016-8946 |
79 |
|
XSS |
2017-07-12 |
2017-07-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118833. |
|
28376 |
CVE-2016-8944 |
20 |
|
|
2017-02-15 |
2017-07-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
IBM AIX 7.1 and 7.2 allows a local user to open a file with a specially crafted argument that would crash the system. IBM APARs: IV91488, IV91487, IV91456, IV90234. |
|
28377 |
CVE-2016-8943 |
79 |
|
XSS |
2017-02-01 |
2017-02-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Tivoli Storage Productivity Center is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
28378 |
CVE-2016-8942 |
284 |
|
|
2017-02-01 |
2017-02-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Tivoli Storage Productivity Center could allow an authenticated user with intimate knowledge of the system to edit a limited set of properties on the server. |
|
28379 |
CVE-2016-8941 |
352 |
|
CSRF |
2017-02-01 |
2017-06-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Tivoli Storage Productivity Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. |
|
28380 |
CVE-2016-8940 |
200 |
|
+Info |
2017-03-07 |
2017-03-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and 7.1 does not perform sufficient authority checking on SQL queries. As a result, an attacker is able to submit SQL queries that access database tables that are not intended for access or use by administrators. The access of these product specific database tables may allow access to passwords or other sensitive information for the product. IBM Reference #: 1998946. |
|
28381 |
CVE-2016-8939 |
200 |
|
+Info |
2017-06-07 |
2018-01-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) clients/agents store password information in the Windows Registry in a manner which can be compromised. IBM X-Force ID: 118790. |
|
28382 |
CVE-2016-8937 |
287 |
|
|
2017-10-05 |
2017-10-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM X-Force ID: 118750. |
|
28383 |
CVE-2016-8936 |
79 |
|
XSS |
2017-02-01 |
2017-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Social Rendering Templates for Digital Data Connector is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
28384 |
CVE-2016-8935 |
79 |
|
XSS |
2017-03-31 |
2017-04-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Kenexa LMS on Cloud 13.1, 13.2, 13.2.2, 13.2.3, 13.2.4 and 14.0.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999483. |
|
28385 |
CVE-2016-8934 |
79 |
|
XSS |
2017-02-01 |
2017-02-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
28386 |
CVE-2016-8933 |
22 |
|
Dir. Trav. |
2017-02-01 |
2017-02-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Kenexa LMS on Cloud could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary files on the system. |
|
28387 |
CVE-2016-8932 |
284 |
|
Exec Code |
2017-02-01 |
2017-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. |
|
28388 |
CVE-2016-8931 |
284 |
|
Exec Code |
2017-02-01 |
2017-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. |
|
28389 |
CVE-2016-8930 |
89 |
|
Sql |
2017-02-01 |
2017-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. |
|
28390 |
CVE-2016-8929 |
89 |
|
Sql |
2017-02-01 |
2017-02-07 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. |
|
28391 |
CVE-2016-8928 |
89 |
|
Sql |
2017-02-01 |
2017-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. |
|
28392 |
CVE-2016-8927 |
79 |
|
XSS |
2017-04-14 |
2017-04-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118540. |
|
28393 |
CVE-2016-8926 |
200 |
|
+Info |
2017-04-14 |
2017-04-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 could allow a remote attacker to read system files or data that is restricted to authorized users. IBM X-Force ID: 118539. |
|
28394 |
CVE-2016-8925 |
200 |
|
+Info |
2017-04-14 |
2017-04-20 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 could allow a remote attacker to include arbitrary files which could allow the attacker to read any file on the system. IBM X-Force ID: 118538. |
|
28395 |
CVE-2016-8924 |
79 |
|
XSS |
2017-04-26 |
2017-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Maximo Asset Management 7.1, 7.5 and 7.6 could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user's session. IBM X-Force ID: 118537. |
|
28396 |
CVE-2016-8923 |
200 |
|
+Info |
2017-04-20 |
2017-04-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Curam Social Program Management 5.2, 6.0, and 7.0 contains a vulnerability that would allow an authorized user to obtain sensitive information from the profile of a higher privileged user that they should not have access to. IBM X-Force ID: 118536. |
|
28397 |
CVE-2016-8922 |
79 |
|
XSS |
2017-02-01 |
2017-02-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Exphox WebRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
28398 |
CVE-2016-8921 |
434 |
|
Exec Code |
2017-02-01 |
2017-02-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. |
|
28399 |
CVE-2016-8920 |
79 |
|
XSS |
2017-02-01 |
2017-02-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
28400 |
CVE-2016-8918 |
255 |
|
|
2017-02-01 |
2017-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Integration Bus, under non default configurations, could allow a remote user to authenticate without providing valid credentials. |
