CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-6157 532 2019-04-22 2019-10-09
5.0
None Remote Low Not required Partial None None
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
2 CVE-2019-6155 20 DoS 2019-04-22 2019-10-09
7.8
None Remote Low Not required None None Complete
A potential vulnerability was found in an SMI handler in various BIOS versions of certain legacy IBM System x and IBM BladeCenter systems that could lead to denial of service.
3 CVE-2019-4571 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166721.
4 CVE-2019-4566 312 2019-09-24 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 166627.
5 CVE-2019-4565 521 2019-09-20 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Key Lifecycle Manager 3.0 and 3.0.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 166626.
6 CVE-2019-4564 79 XSS 2019-10-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
7 CVE-2019-4558 74 2019-10-09 2019-10-11
7.2
None Local Low Not required Complete Complete Complete
A security vulnerability has been identified in all levels of IBM Spectrum Scale V5.0.0.0 through V5.0.3.2 and IBM Spectrum Scale V4.2.0.0 through V4.2.3.17 that could allow a local attacker to obtain root privilege by injecting parameters into setuid files.
8 CVE-2019-4549 922 2019-10-02 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Directory Server 6.4.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 165951.
9 CVE-2019-4542 79 XSS 2019-10-02 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM Security Directory Server 6.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 165815.
10 CVE-2019-4539 91 2019-10-02 2019-10-09
5.5
None Remote Low Single system None Partial Partial
IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.
11 CVE-2019-4538 601 +Info 2019-10-02 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
IBM Security Directory Server 6.4.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 165660.
12 CVE-2019-4536 264 2019-08-29 2019-10-09
3.3
None Local Medium Not required Partial Partial None
IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system. IBM X-Force ID: 165592.
13 CVE-2019-4520 307 2019-10-02 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Directory Server 6.4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 165178.
14 CVE-2019-4515 352 CSRF 2019-09-24 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 165137.
15 CVE-2019-4514 863 2019-10-04 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 165136.
16 CVE-2019-4513 611 2019-08-26 2019-10-09
6.4
None Remote Low Not required Partial None Partial
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 164555.
17 CVE-2019-4512 209 2019-10-09 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM Maximo Asset Management 7.6.1.1 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164554.
18 CVE-2019-4505 200 +Info 2019-09-20 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deployment could allow a remote attacker to obtain sensitive information, caused by sending a specially-crafted URL. This can lead the attacker to view any file in a certain directory. IBM X-Force ID: 164364.
19 CVE-2019-4497 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164118.
20 CVE-2019-4495 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164116.
21 CVE-2019-4494 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164115.
22 CVE-2019-4485 200 +Info 2019-08-20 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.
23 CVE-2019-4484 200 +Info 2019-08-20 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164068.
24 CVE-2019-4483 89 Sql 2019-08-20 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 164067.
25 CVE-2019-4482 79 XSS 2019-08-20 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164066.
26 CVE-2019-4481 89 Sql 2019-08-20 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 164064.
27 CVE-2019-4477 200 +Info 2019-09-17 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options. IBM X-Force ID: 163997.
28 CVE-2019-4473 264 2019-08-05 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 163984.
29 CVE-2019-4460 22 Dir. Trav. 2019-08-20 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM API Connect 5.0.0.0 through 5.0.8.6 developer portal could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 163681.
30 CVE-2019-4456 611 2019-07-30 2019-10-09
5.5
None Remote Low Single system Partial None Partial
IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.
31 CVE-2019-4448 264 Exec Code 2019-08-26 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user the ability to load arbitrary db2 libraries from a privileged context. This results in arbitrary code being executed with root authority. IBM X-Force ID: 163489.
32 CVE-2019-4447 264 Exec Code 2019-08-26 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location. When a crash is induced the trojan gdb command is executed. IBM X-Force ID: 163488.
33 CVE-2019-4442 22 Dir. Trav. 2019-09-17 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226.
34 CVE-2019-4441 209 +Info 2019-10-03 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
35 CVE-2019-4439 384 2019-07-25 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.
36 CVE-2019-4437 200 +Info 2019-08-20 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM API Connect 2018.1 through 2018.4.1.6 may inadvertently leak sensitive details about internal servers and network via API swagger. IBM X-force ID: 162947.
37 CVE-2019-4433 611 2019-08-20 2019-10-09
6.4
None Remote Low Not required Partial None Partial
IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.
38 CVE-2019-4430 22 Dir. Trav. 2019-07-17 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Maximo Asset Management 7.6 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162887.
39 CVE-2019-4425 200 +Info 2019-08-20 2019-10-09
3.5
None Remote Medium Single system Partial None None
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 could allow a user to obtain highly sensitive information from another user by inserting links that would be clicked on by unsuspecting users. IBM X-Force ID: 162771.
40 CVE-2019-4424 611 2019-08-20 2019-10-09
6.4
None Remote Low Not required Partial None Partial
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.
41 CVE-2019-4423 22 Dir. Trav. 2019-09-30 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162769.
42 CVE-2019-4422 287 2019-10-03 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
IBM Security Guardium 9.0, 9.5, and 10.6 are vulnerable to a privilege escalation which could allow an authenticated user to change the accessmgr password. IBM X-Force ID: 162768.
43 CVE-2019-4420 200 +Info 2019-08-20 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Intelligent Operations Center V5.1.0 through V5.2.0 could disclose detailed error messages, revealing sensitive information that could aid in further attacks against the system. IBM X-Force ID: 162738.
44 CVE-2019-4419 611 2019-08-20 2019-10-09
6.4
None Remote Low Not required Partial None Partial
IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737.
45 CVE-2019-4415 264 2019-07-25 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
IBM Cloud Private 3.1.1 and 3.1.2 could allow a local user to obtain elevated privileges due to improper security context constraints. IBM X-Force ID: 162706.
46 CVE-2019-4410 79 XSS 2019-07-01 2019-07-03
3.5
None Remote Medium Single system None Partial None
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162657.
47 CVE-2019-4403 79 XSS 2019-06-14 2019-10-09
3.5
None Remote Medium Single system None Partial None
IBM Connections 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162264.
48 CVE-2019-4402 20 DoS 2019-08-20 2019-10-09
5.0
None Remote Low Not required None None Partial
IBM API Connect 2018.1 through 2018.4.1.6 developer portal could allow an unauthorized user to cause a denial of service via an unprotected API. IBM X-Force ID: 162263.
49 CVE-2019-4385 200 +Info 2019-06-19 2019-06-27
2.1
None Local Low Not required Partial None None
IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password in the IBM Spectrum Protect Plus Joblog. This can result in an attacker gaining access to sensitive information as well as vSnap. IBM X-Force ID: 162173.
50 CVE-2019-4384 22 Dir. Trav. 2019-06-19 2019-06-27
4.0
None Remote Low Single system Partial None None
IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162172.
Total number of vulnerabilities : 364   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.