| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-18202 |
255 |
|
|
2018-10-09 |
2018-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modules for IBM BladeCenter have an undocumented support account with a support password, an undocumented diags account with a diags password, and an undocumented prom account with a prom password. |
|
2 |
CVE-2018-2026 |
200 |
|
+Info |
2019-01-23 |
2019-01-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Financial Transaction Manager 3.2.1 for Digital Payments could allow an authenticated user to obtain a directory listing of internal product files. IBM X-Force ID: 155552. |
|
3 |
CVE-2018-2019 |
611 |
|
|
2019-01-18 |
2019-01-24 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265. |
|
4 |
CVE-2018-1993 |
200 |
|
+Info |
2019-01-08 |
2019-01-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Spectrum Scale (GPFS) 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 where the use of Local Read Only Cache (LROC) is enabled may caused read operation on a file to return data from a different file. IBM X-Force ID: 154440. |
|
5 |
CVE-2018-1977 |
20 |
|
DoS |
2018-12-14 |
2019-01-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032. |
|
6 |
CVE-2018-1973 |
284 |
|
|
2018-12-20 |
2019-01-07 |
9.0 |
Admin |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
IBM API Connect 5.0.0.0 through 5.0.8.4 allows a user with limited 'API Administrator level access to give themselves full 'Administrator' level access through the members functionality. IBM X-Force ID: 153914. |
|
7 |
CVE-2018-1969 |
434 |
|
|
2019-01-14 |
2019-01-16 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Security Identity Manager 6.0.0 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 153750. |
|
8 |
CVE-2018-1967 |
79 |
|
XSS |
2019-01-14 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153748. |
|
9 |
CVE-2018-1957 |
200 |
|
+Info |
2018-12-10 |
2018-12-31 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server 9 could allow sensitive information to be available caused by mishandling of data by the application based on an incorrect return by the httpServletRequest#authenticate() API when an unprotected URI is accessed. IBM X-Force ID: 153629. |
|
10 |
CVE-2018-1956 |
254 |
|
|
2019-01-14 |
2019-01-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Identity Manager 6.0.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 153628. |
|
11 |
CVE-2018-1951 |
79 |
|
XSS |
2019-01-04 |
2019-01-11 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153494. |
|
12 |
CVE-2018-1941 |
264 |
|
|
2018-12-05 |
2018-12-26 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini privileges due to the application not validating access permissions. IBM X-Force ID: 153382. |
|
13 |
CVE-2018-1935 |
200 |
|
+Info |
2018-12-06 |
2018-12-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to obtain sensitive information from invalid request error messages. IBM X-Force ID: 153315. |
|
14 |
CVE-2018-1932 |
200 |
|
+Info |
2019-01-08 |
2019-01-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175. |
|
15 |
CVE-2018-1926 |
352 |
|
CSRF |
2018-12-12 |
2018-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could exploit this vulnerability to perform CSRF attack and update available applications. IBM X-Force ID: 152992. |
|
16 |
CVE-2018-1920 |
611 |
|
|
2018-12-07 |
2018-12-14 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855. |
|
17 |
CVE-2018-1905 |
611 |
|
|
2018-11-26 |
2018-12-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534. |
|
18 |
CVE-2018-1904 |
502 |
|
Exec Code |
2018-12-11 |
2018-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533. |
|
19 |
CVE-2018-1901 |
264 |
|
+Priv |
2018-12-12 |
2018-12-31 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used. IBM X-Force ID: 152530. |
|
20 |
CVE-2018-1900 |
79 |
|
XSS |
2018-12-11 |
2018-12-31 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152529. |
|
21 |
CVE-2018-1897 |
119 |
|
Exec Code Overflow |
2018-11-30 |
2018-12-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462. |
|
22 |
CVE-2018-1896 |
74 |
|
|
2018-12-07 |
2018-12-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain. IBM X-Force ID: 152456. |
|
23 |
CVE-2018-1891 |
79 |
|
XSS |
2018-12-17 |
2019-01-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082. |
|
24 |
CVE-2018-1889 |
79 |
|
XSS |
2018-12-17 |
2019-01-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080. |
|
25 |
CVE-2018-1888 |
426 |
|
Exec Code |
2019-01-04 |
2019-01-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An untrusted search path vulnerability in IBM i Access for Windows versions 7.1 and earlier on Windows can allow arbitrary code execution via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. IBM X-Force ID: 152079. |
|
26 |
CVE-2018-1887 |
798 |
|
|
2018-12-13 |
2019-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 152078. |
|
27 |
CVE-2018-1886 |
200 |
|
+Info |
2018-12-13 |
2018-12-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 152021. |
|
28 |
CVE-2018-1884 |
22 |
|
Exec Code Dir. Trav. |
2018-11-12 |
2018-12-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerable to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970. |
|
29 |
CVE-2018-1883 |
|
|
DoS |
2018-12-07 |
2018-12-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A problem within the IBM MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, and 9.1.0.0 Console REST API Could allow attackers to execute a denial of service attack preventing users from logging into the MQ Console REST API. IBM X-Force ID: 151969. |
|
30 |
CVE-2018-1878 |
200 |
|
+Info |
2018-11-02 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could disclose sensitive information in a web request that could aid in future attacks against the system. IBM X-Force ID: 151714. |
|
31 |
CVE-2018-1877 |
200 |
|
+Info |
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unencrypted passwords that would be available to a local user. IBM X-Force ID: 151713. |
|
32 |
CVE-2018-1876 |
532 |
|
|
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control Room log file after installation. IBM X-Force ID: 151707. |
|
33 |
CVE-2018-1872 |
79 |
|
XSS |
2018-11-09 |
2018-12-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151330. |
|
34 |
CVE-2018-1871 |
79 |
|
XSS |
2018-12-06 |
2018-12-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.0, 3.0.2, and 3.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151329. |
|
35 |
CVE-2018-1859 |
264 |
|
|
2019-01-04 |
2019-01-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM API Connect 5.0.0.0 through 5.0.8.4 could allow a user authenticated as an administrator with limited rights to escalate their privileges. IBM X-Force ID: 151258. |
|
36 |
CVE-2018-1857 |
200 |
|
Bypass +Info |
2018-11-08 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow a user to bypass FGAC control and gain access to data they shouldn't be able to see. IBM X-Force ID: 151155. |
|
37 |
CVE-2018-1851 |
502 |
|
Exec Code |
2018-10-31 |
2018-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999. |
|
38 |
CVE-2018-1850 |
284 |
|
|
2018-10-22 |
2018-12-06 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
IBM Security Access Manager Appliance 9.0.3.1, 9.0.4.0 and 9.0.5.0 could allow unauthorized administration operations when Advanced Access Control services are running. IBM X-Force ID: 150998. |
|
39 |
CVE-2018-1848 |
79 |
|
XSS |
2018-12-14 |
2019-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150947. |
|
40 |
CVE-2018-1846 |
611 |
|
|
2018-11-02 |
2018-12-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945. |
|
41 |
CVE-2018-1844 |
611 |
|
|
2018-10-12 |
2018-11-28 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904. |
|
42 |
CVE-2018-1843 |
200 |
|
+Info |
2018-11-21 |
2019-01-02 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Identity and Access Management (IAM) services (IBM Cloud Private 3.1.0) do not use a secure channel, such as SSL, to exchange information only when accessed internally from within the cluster. It could be possible for an attacker with access to network traffic to sniff packets from the connection and uncover data. IBM X-Force ID: 150903 |
|
43 |
CVE-2018-1842 |
347 |
|
Bypass |
2018-11-08 |
2018-12-12 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902. |
|
44 |
CVE-2018-1841 |
200 |
|
+Info |
2018-11-19 |
2018-12-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901. |
|
45 |
CVE-2018-1840 |
264 |
|
+Priv |
2018-12-03 |
2018-12-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to gain elevated privileges on the system, caused when a security domain is configured to use a federated repository other than global federated repository and then migrated to a newer release of WebSphere Application Server. IBM X-Force ID: 150813. |
|
46 |
CVE-2018-1838 |
200 |
|
+Info |
2018-10-12 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811. |
|
47 |
CVE-2018-1835 |
611 |
|
|
2018-11-02 |
2018-12-12 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514. |
|
48 |
CVE-2018-1834 |
59 |
|
|
2018-11-08 |
2018-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack. IBM X-Force ID: 150511. |
|
49 |
CVE-2018-1833 |
20 |
|
|
2018-12-18 |
2019-01-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507. |
|
50 |
CVE-2018-1822 |
287 |
|
Bypass |
2018-10-18 |
2018-12-26 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM FlashSystem 900 product GUI allows a specially crafted attack to bypass the authentication requirements of the system, resulting in the ability to remotely change the superuser password. This can be used by an attacker to gain administrative control or to deny service. IBM X-Force ID: 150296. |
