| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
31451 |
CVE-2016-3025 |
254 |
|
|
2016-11-24 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Mobile 8.x before 8.0.1.4 IF3 and Security Access Manager 9.x before 9.0.1.0 IF5 do not properly restrict failed login attempts, which makes it easier for remote attackers to obtain access via a brute-force approach. |
|
31452 |
CVE-2016-3024 |
200 |
|
+Info |
2017-02-01 |
2017-02-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web allows web pages to be stored locally which can be read by another user on the system. |
|
31453 |
CVE-2016-3023 |
200 |
|
+Info |
2017-02-01 |
2017-02-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an unauthenticated user to gain access to sensitive information by entering invalid file names. |
|
31454 |
CVE-2016-3022 |
275 |
|
|
2017-02-01 |
2017-02-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an authenticated user to gain access to highly sensitive information due to incorrect file permissions. |
|
31455 |
CVE-2016-3021 |
200 |
|
+Info |
2017-02-01 |
2017-02-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an authenticated attacker to obtain sensitive information from error message using a specially crafted HTTP request. |
|
31456 |
CVE-2016-3020 |
284 |
|
Bypass |
2017-02-07 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content. |
|
31457 |
CVE-2016-3019 |
326 |
|
|
2017-06-07 |
2017-07-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Access Manager for Web 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 114462. |
|
31458 |
CVE-2016-3018 |
79 |
|
XSS |
2017-02-01 |
2017-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager for Web is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
31459 |
CVE-2016-3017 |
358 |
|
+Info |
2017-02-01 |
2017-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations. |
|
31460 |
CVE-2016-3016 |
345 |
|
|
2017-02-01 |
2017-02-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code. |
|
31461 |
CVE-2016-3015 |
79 |
|
XSS |
2017-04-05 |
2019-09-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887. |
|
31462 |
CVE-2016-3014 |
79 |
|
XSS |
2016-11-30 |
2017-07-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Quality Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Team Concert 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational DOORS Next Generation 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
31463 |
CVE-2016-3013 |
19 |
|
|
2017-02-22 |
2017-03-01 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ channel due to improper data conversion handling. IBM Reference #: 1998661. |
|
31464 |
CVE-2016-3012 |
200 |
|
Bypass +Info |
2016-12-01 |
2016-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes certain internal server credentials in the software package, which might allow remote attackers to bypass intended access restrictions by leveraging knowledge of these credentials. |
|
31465 |
CVE-2016-3010 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3005. |
|
31466 |
CVE-2016-3009 |
352 |
|
CSRF |
2016-11-30 |
2016-11-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the Connections generic page. |
|
31467 |
CVE-2016-3008 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2954 and CVE-2016-2956. |
|
31468 |
CVE-2016-3007 |
352 |
|
CSRF |
2016-09-26 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users. |
|
31469 |
CVE-2016-3006 |
79 |
|
XSS |
2016-09-26 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3001 and CVE-2016-3003. |
|
31470 |
CVE-2016-3005 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3010. |
|
31471 |
CVE-2016-3004 |
352 |
|
CSRF |
2016-11-30 |
2016-11-30 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the set of available applications. |
|
31472 |
CVE-2016-3003 |
79 |
|
XSS |
2016-09-26 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3001 and CVE-2016-3006. |
|
31473 |
CVE-2016-3002 |
200 |
|
+Info |
2016-11-30 |
2016-11-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows physically proximate attackers to obtain sensitive information by reading cached data on a client device. |
|
31474 |
CVE-2016-3001 |
79 |
|
XSS |
2016-09-26 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3003 and CVE-2016-3006. |
|
31475 |
CVE-2016-3000 |
20 |
|
DoS |
2016-09-26 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The help service in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to cause a denial of service (service degradation) via a crafted URL. |
|
31476 |
CVE-2016-2999 |
200 |
|
+Info |
2016-09-26 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to obtain sensitive information via an unspecified brute-force attack. |
|
31477 |
CVE-2016-2998 |
352 |
|
CSRF |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update data. |
|
31478 |
CVE-2016-2997 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-3005, and CVE-2016-3010. |
|
31479 |
CVE-2016-2996 |
20 |
|
|
2016-11-24 |
2016-11-25 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Security Privileged Identity Manager 2.0 before 2.0.2 FP8, when Virtual Appliance is used, allows remote authenticated users to append to arbitrary files via unspecified vectors. |
|
31480 |
CVE-2016-2995 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2997, CVE-2016-3005, and CVE-2016-3010. |
|
31481 |
CVE-2016-2994 |
79 |
|
XSS |
2016-12-01 |
2016-12-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM UrbanCode Deploy 6.2.x before 6.2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
31482 |
CVE-2016-2992 |
79 |
|
XSS |
2017-02-01 |
2017-02-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Infosphere BigInsights is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
31483 |
CVE-2016-2991 |
79 |
|
XSS |
2016-12-01 |
2016-12-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Protector for Mail Security 2.8.0.0 through 2.8.1.0 before 2.8.1.0-22115 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
31484 |
CVE-2016-2989 |
284 |
|
|
2016-08-07 |
2017-08-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Connections Portlets component 5.x before 5.0.2 for IBM WebSphere Portal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
31485 |
CVE-2016-2988 |
264 |
|
Bypass |
2016-11-24 |
2016-11-25 |
4.6 |
None |
Remote |
High |
Single system |
Partial |
Partial |
Partial |
|
IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 6.4.x before 6.4.3.4 and 7.1.x before 7.1.6 allows remote authenticated users to bypass a TSM credential requirement and obtain administrative access by leveraging multiple simultaneous logins. |
|
31486 |
CVE-2016-2987 |
200 |
|
+Info |
2017-02-01 |
2017-02-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker. |
|
31487 |
CVE-2016-2986 |
79 |
|
XSS |
2016-11-24 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 6.x before 6.0.1 iFix6, Rational Quality Manager 6.x before 6.0.1 iFix6, Rational Team Concert 6.x before 6.0.1 iFix6, Rational DOORS Next Generation 6.x before 6.0.1 iFix6, Rational Engineering Lifecycle Manager 6.x before 6.0.1 iFix6, and Rational Rhapsody Design Manager 6.x before 6.0.1 iFix6 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
31488 |
CVE-2016-2985 |
264 |
|
+Priv |
2016-11-24 |
2016-11-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System (GPFS) 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted environment variables to a /usr/lpp/mmfs/bin/ setuid program. |
|
31489 |
CVE-2016-2984 |
264 |
|
+Priv |
2016-11-24 |
2016-11-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System (GPFS) 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program. |
|
31490 |
CVE-2016-2983 |
20 |
|
DoS Bypass |
2018-01-26 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 could allow a remote attacker under unusual circumstances to read operational data or TLS session state for any active sessions, cause denial of service, or bypass security. IBM X-Force ID: 113999. |
|
31491 |
CVE-2016-2981 |
200 |
|
+Info |
2017-03-20 |
2017-03-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An undisclosed vulnerability in the CLM applications in IBM Jazz Team Server may allow unauthorized access to user credentials. IBM Reference #: 1999965. |
|
31492 |
CVE-2016-2980 |
74 |
|
|
2017-08-29 |
2017-09-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID: 113993. |
|
31493 |
CVE-2016-2979 |
79 |
|
XSS |
2017-08-29 |
2017-09-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113945. |
|
31494 |
CVE-2016-2978 |
200 |
|
+Info |
2017-08-29 |
2017-09-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Sametime 8.5.2 and 9.0 could store potentially sensitive information from the browser cache locally that could be available to a local user. IBM X-Force ID: 113938. |
|
31495 |
CVE-2016-2977 |
20 |
|
|
2017-08-29 |
2017-09-06 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID: 113937. |
|
31496 |
CVE-2016-2976 |
200 |
|
+Info |
2017-08-29 |
2017-09-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invitee to obtain previously cleared sensitive information by viewing the meeting report history. IBM X-Force ID: 113936. |
|
31497 |
CVE-2016-2975 |
79 |
|
XSS |
2017-08-29 |
2017-09-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113935. |
|
31498 |
CVE-2016-2974 |
200 |
|
+Info |
2017-08-29 |
2017-09-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Rich Client, could disclose potentially sensitive information related to the Sametime environment as well as other users on the local machine of the user. IBM X-Force ID: 113934. |
|
31499 |
CVE-2016-2973 |
79 |
|
XSS |
2017-08-29 |
2017-09-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113899. |
|
31500 |
CVE-2016-2972 |
255 |
|
|
2017-08-29 |
2017-09-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browser which could be accessed by a local user. IBM X-Force ID: 113855. |
