| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-2026 |
200 |
|
+Info |
2019-01-23 |
2019-01-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Financial Transaction Manager 3.2.1 for Digital Payments could allow an authenticated user to obtain a directory listing of internal product files. IBM X-Force ID: 155552. |
|
2 |
CVE-2018-1977 |
20 |
|
DoS |
2018-12-14 |
2019-01-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032. |
|
3 |
CVE-2018-1967 |
79 |
|
XSS |
2019-01-14 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153748. |
|
4 |
CVE-2018-1941 |
264 |
|
|
2018-12-05 |
2018-12-26 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini privileges due to the application not validating access permissions. IBM X-Force ID: 153382. |
|
5 |
CVE-2018-1935 |
200 |
|
+Info |
2018-12-06 |
2018-12-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to obtain sensitive information from invalid request error messages. IBM X-Force ID: 153315. |
|
6 |
CVE-2018-1932 |
200 |
|
+Info |
2019-01-08 |
2019-01-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175. |
|
7 |
CVE-2018-1897 |
119 |
|
Exec Code Overflow |
2018-11-30 |
2018-12-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462. |
|
8 |
CVE-2018-1887 |
798 |
|
|
2018-12-13 |
2019-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 152078. |
|
9 |
CVE-2018-1857 |
200 |
|
Bypass +Info |
2018-11-08 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow a user to bypass FGAC control and gain access to data they shouldn't be able to see. IBM X-Force ID: 151155. |
|
10 |
CVE-2018-1848 |
79 |
|
XSS |
2018-12-14 |
2019-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150947. |
|
11 |
CVE-2018-1838 |
200 |
|
+Info |
2018-10-12 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811. |
|
12 |
CVE-2018-1817 |
79 |
|
XSS |
2018-12-13 |
2019-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021. |
|
13 |
CVE-2018-1815 |
79 |
|
XSS |
2018-12-13 |
2019-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 for Enterprise Single-Sign On is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150019. |
|
14 |
CVE-2018-1813 |
284 |
|
Bypass |
2018-12-13 |
2019-01-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 150017. |
|
15 |
CVE-2018-1805 |
200 |
|
+Info |
2018-12-13 |
2019-01-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 149704. |
|
16 |
CVE-2018-1804 |
384 |
|
+Info |
2018-12-13 |
2019-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 149703. |
|
17 |
CVE-2018-1803 |
20 |
|
|
2018-12-13 |
2019-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 149702. |
|
18 |
CVE-2018-1802 |
264 |
|
|
2018-11-08 |
2018-12-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640. |
|
19 |
CVE-2018-1798 |
79 |
|
XSS |
2018-11-12 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149428. |
|
20 |
CVE-2018-1797 |
22 |
|
Dir. Trav. |
2018-11-16 |
2018-12-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip". IBM X-Force ID: 149427. |
|
21 |
CVE-2018-1795 |
79 |
|
XSS |
2018-10-05 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149073. |
|
22 |
CVE-2018-1794 |
79 |
|
XSS |
2018-10-03 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148949. |
|
23 |
CVE-2018-1793 |
79 |
|
XSS |
2018-10-03 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148948. |
|
24 |
CVE-2018-1791 |
20 |
|
|
2018-09-14 |
2018-11-23 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
None |
Partial |
|
IBM Connections 5.0, 5.5, and 6.0 is vulnerable to an External Service Interaction attack, caused by improper validation of a request property. By submitting suitable payloads, an attacker could exploit this vulnerability to induce the Connections server to attack other systems. IBM X-Force ID: 148946. |
|
25 |
CVE-2018-1782 |
254 |
|
|
2018-09-19 |
2018-11-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
IBM GPFS (IBM Spectrum Scale 5.0.1.0 and 5.0.1.1) allows a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system. IBM X-Force ID: 148805. |
|
26 |
CVE-2018-1773 |
287 |
|
Bypass |
2018-09-12 |
2018-11-01 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Datacap Fastdoc Capture 9.1.1, 9.1.3, and 9.1.4 could allow an authenticated user to bypass future authentication mechanisms once the initial login is completed. IBM X-Force ID: 148691. |
|
27 |
CVE-2018-1770 |
22 |
|
Dir. Trav. |
2018-10-12 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148686. |
|
28 |
CVE-2018-1767 |
79 |
|
XSS |
2018-10-29 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148621. |
|
29 |
CVE-2018-1755 |
200 |
|
+Info |
2018-08-24 |
2018-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication. |
|
30 |
CVE-2018-1753 |
200 |
|
+Info |
2018-10-08 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 148514. |
|
31 |
CVE-2018-1749 |
20 |
|
Bypass |
2018-10-08 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 148484. |
|
32 |
CVE-2018-1744 |
22 |
|
Dir. Trav. |
2018-10-15 |
2018-11-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423. |
|
33 |
CVE-2018-1724 |
284 |
|
|
2018-10-11 |
2018-11-28 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Spectrum LSF 9.1.1 9.1.2, 9.1.3, and 10.1 could allow a local user to change their job user at job submission time due to improper file permission settings. IBM X-Force ID: 147439. |
|
34 |
CVE-2018-1719 |
200 |
|
+Info |
2018-09-14 |
2018-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security under certain conditions. This could result in a downgrade of TLS protocol. A remote attacker could exploit this vulnerability to perform man-in-the-middle attacks. IBM X-Force ID: 147292. |
|
35 |
CVE-2018-1718 |
79 |
|
XSS |
2018-07-31 |
2018-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0.1 - 5.2.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147166. |
|
36 |
CVE-2018-1716 |
79 |
|
XSS |
2018-09-27 |
2018-11-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147164. |
|
37 |
CVE-2018-1711 |
264 |
|
+Priv |
2018-09-21 |
2018-12-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 146369. |
|
38 |
CVE-2018-1710 |
119 |
|
Exec Code Overflow |
2018-09-21 |
2018-11-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. IBM X-Force ID: 146364. |
|
39 |
CVE-2018-1708 |
200 |
|
+Info |
2018-10-11 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Spectrum Symphony 7.1.2 and 7.2.0.2 could allow an authenticated user to obtain sensitive user information such as passwords through the WebUI. IBM X-Force ID: 146343. |
|
40 |
CVE-2018-1705 |
200 |
|
+Info |
2018-08-28 |
2018-11-01 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 contain an information disclosure vulnerability that could allow an authenticated attacker to obtain highly sensitive information. IBM X-Force ID: 146340. |
|
41 |
CVE-2018-1704 |
601 |
|
+Info |
2018-09-28 |
2018-11-15 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 146339. |
|
42 |
CVE-2018-1697 |
200 |
|
+Info |
2018-12-05 |
2018-12-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Maximo Asset Management 7.6 could allow an authenticated user to enumerate usernames using a specially crafted HTTP request. IBM X-Force ID: 145966. |
|
43 |
CVE-2018-1694 |
200 |
|
+Info |
2018-11-06 |
2018-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Jazz applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational DOORS Next Generation 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Quality Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Rhapsody Design Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Software Architect Design Manager 5.0 through 5.02 and 6.0 through 6.0.1, IBM Rational Team Concert 5.0 through 5.02 and 6.0 through 6.0.6) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 145609. |
|
44 |
CVE-2018-1685 |
200 |
|
+Info |
2018-09-21 |
2018-11-19 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability in db2cacpy that could allow a local user to read any file on the system. IBM X-Force ID: 145502. |
|
45 |
CVE-2018-1684 |
20 |
|
DoS |
2018-11-08 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM WebSphere MQ 8.0 through 9.1 is vulnerable to a error with MQTT topic string publishing that can cause a denial of service attack. IBM X-Force ID: 145456. |
|
46 |
CVE-2018-1673 |
79 |
|
XSS |
2018-10-12 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145108. |
|
47 |
CVE-2018-1671 |
94 |
|
Exec Code |
2018-12-10 |
2019-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Curam Social Program Management 7.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-force ID: 144951. |
|
48 |
CVE-2018-1670 |
200 |
|
+Info |
2018-10-04 |
2018-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Financial Transaction Manager for ACH Services for Multi-Platform 3.0.2 could allow an authenticated user to obtain sensitive product configuration information from log files. IBM X-Force ID: 144946. |
|
49 |
CVE-2018-1663 |
200 |
|
+Info |
2018-12-07 |
2018-12-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 144889. |
|
50 |
CVE-2018-1656 |
22 |
|
Dir. Trav. |
2018-08-20 |
2018-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. |
