| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
36801 |
CVE-2016-5995 |
264 |
|
+Priv |
2016-09-30 |
2017-07-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in IBM DB2 9.7 through FP11, 10.1 through FP5, 10.5 before FP8, and 11.1 GA on Linux, AIX, and HP-UX allows local users to gain privileges via a Trojan horse library that is accessed by a setuid or setgid program. |
|
36802 |
CVE-2016-5994 |
200 |
|
+Info |
2017-02-01 |
2017-07-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM InfoSphere Information Server contains a vulnerability that would allow an authenticated user to browse any file on the engine tier, and examine its contents. |
|
36803 |
CVE-2016-5991 |
264 |
|
+Priv |
2016-11-24 |
2016-11-28 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Sterling Connect:Direct 4.5.00, 4.5.01, 4.6.0 before 4.6.0.6 iFix008, and 4.7.0 before 4.7.0.4 on Windows allows local users to gain privileges via unspecified vectors. |
|
36804 |
CVE-2016-5990 |
284 |
|
|
2017-02-01 |
2017-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Security Privileged Identity Manager Virtual Appliance allows an authenticated user to upload malicious files that would be automatically executed by the server. |
|
36805 |
CVE-2016-5988 |
200 |
|
+Info |
2017-02-01 |
2017-02-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager Virtual Appliance could disclose sensitive information in generated error messages that would be available to an authenticated user. |
|
36806 |
CVE-2016-5987 |
20 |
|
+Info |
2016-11-30 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5 before 7.5.0.10 IF4, and 7.6 before 7.6.0.5 IF3 allows remote attackers to obtain sensitive information via a crafted HTTP request that triggers construction of a runtime error message. |
|
36807 |
CVE-2016-5986 |
200 |
|
+Info |
2016-09-30 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
36808 |
CVE-2016-5985 |
119 |
|
Exec Code Overflow |
2017-02-01 |
2017-02-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The IBM Tivoli Storage Manager (IBM Spectrum Protect) AIX client is vulnerable to a buffer overflow when Journal-Based Backup is enabled. A local attacker could overflow a buffer and execute arbitrary code on the system or cause a system crash. |
|
36809 |
CVE-2016-5984 |
79 |
|
XSS |
2017-02-01 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM InfoSphere Information Server is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks. |
|
36810 |
CVE-2016-5983 |
284 |
|
Exec Code |
2016-10-05 |
2016-11-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object. |
|
36811 |
CVE-2016-5979 |
264 |
|
|
2017-05-15 |
2017-05-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM Distributed Marketing 8.6, 9.0, and 10.0 could allow a privileged authenticated user to create an instance that gets created with security profile not valid for the templates, that results in the new instance not accessible for the intended user. IBM X-Force ID: 116379. |
|
36812 |
CVE-2016-5977 |
601 |
|
|
2016-09-26 |
2016-11-28 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Open redirect vulnerability in the web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
36813 |
CVE-2016-5972 |
284 |
|
+Info |
2016-09-26 |
2016-11-28 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 uses weak permissions for unspecified resources, which allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors. |
|
36814 |
CVE-2016-5971 |
611 |
|
DoS |
2016-09-26 |
2016-11-28 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
36815 |
CVE-2016-5970 |
22 |
|
Dir. Trav. |
2016-09-26 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URL. |
|
36816 |
CVE-2016-5968 |
918 |
|
|
2016-11-24 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Replay Server in IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108 FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224 FP3 allows remote attackers to conduct SSRF attacks via unspecified vectors. |
|
36817 |
CVE-2016-5966 |
200 |
|
+Info |
2017-02-01 |
2017-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
|
36818 |
CVE-2016-5964 |
284 |
|
|
2017-02-01 |
2017-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. |
|
36819 |
CVE-2016-5963 |
284 |
|
Exec Code |
2016-09-26 |
2016-11-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 does not properly validate updates, which allows remote authenticated users to execute arbitrary code via unspecified vectors. |
|
36820 |
CVE-2016-5959 |
200 |
|
+Info |
2017-06-07 |
2017-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 116136. |
|
36821 |
CVE-2016-5958 |
200 |
|
+Info |
2017-02-01 |
2017-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. |
|
36822 |
CVE-2016-5957 |
310 |
|
+Info |
2016-09-26 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive information by leveraging a weak algorithm. |
|
36823 |
CVE-2016-5954 |
284 |
|
DoS |
2016-09-12 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF30, 8.0.0 through 8.0.0.1 CF21, and 8.5.0 before CF12 allows remote authenticated users to cause a denial of service by uploading temporary files. |
|
36824 |
CVE-2016-5953 |
200 |
|
+Info |
2017-02-01 |
2017-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Sterling Order Management transmits the session identifier within the URL. When a user is unable to view a certain view due to not being allowed permissions, the website responds with an error page where the session identifier is encoded as Base64 in the URL. |
|
36825 |
CVE-2016-5952 |
89 |
|
Sql |
2017-02-01 |
2017-02-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. |
|
36826 |
CVE-2016-5950 |
255 |
|
|
2017-02-01 |
2017-02-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Kenexa LCMS Premier on Cloud stores user credentials in plain in clear text which can be read by an authenticated user. |
|
36827 |
CVE-2016-5949 |
254 |
|
|
2017-02-01 |
2017-02-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Kenexa LCMS Premier on Cloud could allow an authenticated user to obtain sensitive user data with a specially crafted HTTP request. |
|
36828 |
CVE-2016-5946 |
200 |
|
Dir. Trav. +Info |
2016-09-26 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URL. |
|
36829 |
CVE-2016-5945 |
284 |
|
|
2016-09-26 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to upload non-executable files via a crafted HTTP request. |
|
36830 |
CVE-2016-5943 |
284 |
|
Bypass |
2016-09-26 |
2017-11-13 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to bypass intended access restrictions, and read task details or edit properties, via unspecified vectors. |
|
36831 |
CVE-2016-5939 |
89 |
|
Sql |
2017-02-01 |
2017-06-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. |
|
36832 |
CVE-2016-5937 |
352 |
|
CSRF |
2017-02-01 |
2017-02-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. |
|
36833 |
CVE-2016-5935 |
200 |
|
+Info |
2017-02-02 |
2017-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Jazz for Service Management could allow a remote attacker to obtain sensitive information, caused by the failure to properly validate the SSL certificate. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
|
36834 |
CVE-2016-5934 |
264 |
|
Exec Code |
2017-02-08 |
2017-02-15 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM Tivoli Storage Manager FastBack installer could allow a remote attacker to execute arbitrary code on the system. By placing a specially-crafted DLL in the victim's path, an attacker could exploit this vulnerability when the installer is executed to run arbitrary code on the system with privileges of the victim. |
|
36835 |
CVE-2016-5933 |
254 |
|
Bypass |
2017-03-08 |
2017-03-09 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
IBM Tivoli Monitoring 6.2 and 6.3 is vulnerable to possible host header injection attack that could lead to HTTP cache poisoning or firewall bypass. IBM Reference #: 1997223. |
|
36836 |
CVE-2016-5919 |
326 |
|
|
2017-02-16 |
2017-07-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM Reference #: 1996868. |
|
36837 |
CVE-2016-5902 |
79 |
|
XSS |
2017-02-08 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
36838 |
CVE-2016-5900 |
200 |
|
+Info |
2017-02-08 |
2017-02-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Tealeaf Customer Experience on Cloud Network Capture Add-On could allow a remote attacker to obtain sensitive information, caused by the failure to properly validate the TLS certificate. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
|
36839 |
CVE-2016-5898 |
254 |
|
+Info |
2017-02-01 |
2017-02-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Jazz Reporting Service (JRS) could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information. |
|
36840 |
CVE-2016-5896 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Maximo Asset Management could disclose sensitive information from a stack trace after submitting incorrect login onto Cognos browser. |
|
36841 |
CVE-2016-5889 |
352 |
|
CSRF |
2017-05-10 |
2017-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 115085. |
|
36842 |
CVE-2016-5884 |
79 |
|
XSS |
2017-02-01 |
2017-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
36843 |
CVE-2016-5883 |
79 |
|
XSS |
2017-02-23 |
2017-07-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1997010. |
|
36844 |
CVE-2016-5882 |
79 |
|
XSS |
2017-02-01 |
2017-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
36845 |
CVE-2016-5881 |
79 |
|
XSS |
2017-02-01 |
2017-07-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
36846 |
CVE-2016-5879 |
20 |
|
Exec Code |
2016-09-02 |
2016-11-28 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
MQCLI on IBM MQ Appliance M2000 and M2001 devices allows local users to execute arbitrary shell commands via a crafted (1) Disaster Recovery or (2) High Availability command. |
|
36847 |
CVE-2016-5878 |
601 |
|
|
2016-08-07 |
2016-11-28 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Open redirect vulnerability in IBM FileNet Workplace 4.0.2 before 4.0.2.14 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
36848 |
CVE-2016-5876 |
264 |
|
|
2017-01-23 |
2017-01-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request. |
|
36849 |
CVE-2016-5874 |
20 |
|
DoS |
2016-07-22 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Siemens SIMATIC NET PC-Software before 13 SP2 allows remote attackers to cause a denial of service (OPC UA service outage) via crafted TCP packets. |
|
36850 |
CVE-2016-5873 |
119 |
|
Exec Code Overflow |
2017-01-23 |
2018-01-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL. |
