| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-18202 |
255 |
|
|
2018-10-09 |
2018-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modules for IBM BladeCenter have an undocumented support account with a support password, an undocumented diags account with a diags password, and an undocumented prom account with a prom password. |
|
2 |
CVE-2018-1920 |
611 |
|
|
2018-12-07 |
2018-12-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855. |
|
3 |
CVE-2018-1905 |
611 |
|
|
2018-11-26 |
2018-12-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534. |
|
4 |
CVE-2018-1884 |
22 |
|
Exec Code Dir. Trav. |
2018-11-12 |
2018-12-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerable to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970. |
|
5 |
CVE-2018-1878 |
200 |
|
+Info |
2018-11-02 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could disclose sensitive information in a web request that could aid in future attacks against the system. IBM X-Force ID: 151714. |
|
6 |
CVE-2018-1877 |
200 |
|
+Info |
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unencrypted passwords that would be available to a local user. IBM X-Force ID: 151713. |
|
7 |
CVE-2018-1876 |
532 |
|
|
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control Room log file after installation. IBM X-Force ID: 151707. |
|
8 |
CVE-2018-1872 |
79 |
|
XSS |
2018-11-09 |
2018-12-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151330. |
|
9 |
CVE-2018-1857 |
200 |
|
Bypass +Info |
2018-11-08 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow a user to bypass FGAC control and gain access to data they shouldn't be able to see. IBM X-Force ID: 151155. |
|
10 |
CVE-2018-1851 |
502 |
|
Exec Code |
2018-10-31 |
2018-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999. |
|
11 |
CVE-2018-1850 |
284 |
|
|
2018-10-22 |
2018-12-06 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
IBM Security Access Manager Appliance 9.0.3.1, 9.0.4.0 and 9.0.5.0 could allow unauthorized administration operations when Advanced Access Control services are running. IBM X-Force ID: 150998. |
|
12 |
CVE-2018-1846 |
611 |
|
|
2018-11-02 |
2018-12-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945. |
|
13 |
CVE-2018-1844 |
611 |
|
|
2018-10-12 |
2018-11-28 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904. |
|
14 |
CVE-2018-1842 |
347 |
|
Bypass |
2018-11-08 |
2018-12-12 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902. |
|
15 |
CVE-2018-1838 |
200 |
|
+Info |
2018-10-12 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811. |
|
16 |
CVE-2018-1835 |
611 |
|
|
2018-11-02 |
2018-12-12 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514. |
|
17 |
CVE-2018-1834 |
59 |
|
|
2018-11-08 |
2018-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack. IBM X-Force ID: 150511. |
|
18 |
CVE-2018-1820 |
79 |
|
XSS |
2018-09-27 |
2018-11-14 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150096. |
|
19 |
CVE-2018-1819 |
89 |
|
Sql |
2018-10-04 |
2018-11-21 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2, 3.0.4, 3.0.6, and 3.2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 150023. |
|
20 |
CVE-2018-1812 |
79 |
|
XSS |
2018-10-05 |
2018-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to persistent cross-site scripting, caused by missing escaping of a database field. An attacker that has access to the Control Room database could exploit this vulnerability to execute script in a victim's web browser within the security context of the hosting Web site, once victim opens a certain page in Control Room. IBM X-Force ID: 149883. |
|
21 |
CVE-2018-1808 |
20 |
|
|
2018-11-13 |
2018-12-12 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828. |
|
22 |
CVE-2018-1802 |
264 |
|
|
2018-11-08 |
2018-12-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640. |
|
23 |
CVE-2018-1800 |
200 |
|
+Info |
2018-09-20 |
2018-11-23 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could allow a local user to obtain highly sensitive information during a short time period when installation is occurring. IBM X-Force ID: 149607. |
|
24 |
CVE-2018-1799 |
20 |
|
|
2018-11-08 |
2018-12-12 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local unprivileged user to overwrite files on the system which could cause damage to the database. IBM X-Force ID: 149429. |
|
25 |
CVE-2018-1798 |
79 |
|
XSS |
2018-11-12 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149428. |
|
26 |
CVE-2018-1795 |
79 |
|
XSS |
2018-10-05 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149073. |
|
27 |
CVE-2018-1794 |
79 |
|
XSS |
2018-10-03 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148949. |
|
28 |
CVE-2018-1793 |
79 |
|
XSS |
2018-10-03 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148948. |
|
29 |
CVE-2018-1792 |
94 |
|
Exec Code |
2018-11-13 |
2018-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947. |
|
30 |
CVE-2018-1791 |
20 |
|
|
2018-09-14 |
2018-11-23 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
None |
Partial |
|
IBM Connections 5.0, 5.5, and 6.0 is vulnerable to an External Service Interaction attack, caused by improper validation of a request property. By submitting suitable payloads, an attacker could exploit this vulnerability to induce the Connections server to attack other systems. IBM X-Force ID: 148946. |
|
31 |
CVE-2018-1783 |
284 |
|
|
2018-10-05 |
2018-11-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM GPFS (IBM Spectrum Scale 4.1.1.0, 4.1.1.20, 4.2.0.0, 4.2.3.10, 5.0.0 and 5.0.1.2) command line utility allows an unprivileged, authenticated user with access to a GPFS node to forcefully terminate GPFS and deny access to data available through GPFS. IBM X-Force ID: 148806. |
|
32 |
CVE-2018-1782 |
254 |
|
|
2018-09-19 |
2018-11-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
IBM GPFS (IBM Spectrum Scale 5.0.1.0 and 5.0.1.1) allows a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system. IBM X-Force ID: 148805. |
|
33 |
CVE-2018-1781 |
59 |
|
|
2018-11-08 |
2018-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804. |
|
34 |
CVE-2018-1780 |
59 |
|
|
2018-11-08 |
2018-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803. |
|
35 |
CVE-2018-1777 |
79 |
|
XSS |
2018-10-16 |
2018-11-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148800. |
|
36 |
CVE-2018-1774 |
94 |
|
Exec Code |
2018-11-08 |
2018-12-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692. |
|
37 |
CVE-2018-1773 |
287 |
|
Bypass |
2018-09-12 |
2018-11-01 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Datacap Fastdoc Capture 9.1.1, 9.1.3, and 9.1.4 could allow an authenticated user to bypass future authentication mechanisms once the initial login is completed. IBM X-Force ID: 148691. |
|
38 |
CVE-2018-1770 |
22 |
|
Dir. Trav. |
2018-10-12 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148686. |
|
39 |
CVE-2018-1768 |
532 |
|
|
2018-09-26 |
2018-11-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622. |
|
40 |
CVE-2018-1767 |
79 |
|
XSS |
2018-10-29 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148621. |
|
41 |
CVE-2018-1766 |
79 |
|
XSS |
2018-10-29 |
2018-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Team Concert (RTC) 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148620. |
|
42 |
CVE-2018-1757 |
200 |
|
+Info |
2018-09-07 |
2018-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601. |
|
43 |
CVE-2018-1756 |
89 |
|
Sql |
2018-09-07 |
2018-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599. |
|
44 |
CVE-2018-1755 |
200 |
|
+Info |
2018-08-24 |
2018-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication. |
|
45 |
CVE-2018-1753 |
200 |
|
+Info |
2018-10-08 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 148514. |
|
46 |
CVE-2018-1750 |
275 |
|
|
2018-10-08 |
2018-11-28 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 148511. |
|
47 |
CVE-2018-1749 |
20 |
|
Bypass |
2018-10-08 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 148484. |
|
48 |
CVE-2018-1747 |
611 |
|
|
2018-10-15 |
2018-11-30 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428. |
|
49 |
CVE-2018-1745 |
287 |
|
|
2018-10-11 |
2018-11-28 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
IBM Security Key Lifecycle Manager 2.7 and 3.0 could allow an unauthenticated user to restart the SKLM server due to missing authentication. IBM X-Force ID: 148424. |
|
50 |
CVE-2018-1744 |
22 |
|
Dir. Trav. |
2018-10-15 |
2018-11-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423. |
