Maximo Application Suite
by IBM
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4820 | Med | 0.28 | 4.3 | 0.00 | Apr 1, 2026 | IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie… | ||
| CVE-2025-14684 | Med | 0.26 | 4.0 | 0.00 | Mar 25, 2026 | IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files. | ||
| CVE-2025-36386 | 0.00 | — | 0.01 | Oct 28, 2025 | IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. | |||
| CVE-2025-2898 | 0.00 | — | 0.00 | May 6, 2025 | IBM Maximo Application Suite 9.0 could allow an attacker with some level of access to elevate their privileges due to a security configuration vulnerability in Role-Based Access Control (RBAC) configurations. | |||
| CVE-2023-43037 | 0.00 | — | 0.00 | Apr 10, 2025 | IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated user to perform unauthorized actions due to improper input validation. | |||
| CVE-2025-1500 | 0.00 | — | 0.00 | Apr 5, 2025 | IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened. | |||
| CVE-2024-35150 | 0.00 | — | 0.00 | Jan 25, 2025 | IBM Maximo Application Suite 8.10.12, 8.11.0, 9.0.1, and 9.1.0 - Monitor Component does not neutralize output that is written to logs, which could allow an attacker to inject false log entries. | |||
| CVE-2024-35148 | 0.00 | — | 0.00 | Jan 25, 2025 | IBM Maximo Application Suite 8.10.10, 8.11.7, and 9.0 - Monitor Component is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||
| CVE-2024-35144 | 0.00 | — | 0.00 | Jan 25, 2025 | IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system. | |||
| CVE-2024-35145 | 0.00 | — | 0.00 | Jan 25, 2025 | IBM Maximo Application Suite 9.0.0 - Monitor Component is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials… | |||
| CVE-2024-35146 | 0.00 | — | 0.00 | Nov 6, 2024 | IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading… | |||
| CVE-2024-38314 | 0.00 | — | 0.00 | Oct 24, 2024 | IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment. | |||
| CVE-2024-37068 | 0.00 | — | 0.00 | Sep 7, 2024 | IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques. | |||
| CVE-2024-22333 | 0.00 | — | 0.00 | Jun 13, 2024 | IBM Maximo Asset Management 7.6.1.3 and IBM Maximo Application Suite 8.10 and 8.11 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 279973. | |||
| CVE-2024-22328 | 0.00 | — | 0.01 | Apr 6, 2024 | IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 279950. | |||
| CVE-2024-27266 | 0.00 | — | 0.01 | Mar 14, 2024 | IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566. | |||
| CVE-2023-32335 | 0.00 | — | 0.01 | Mar 13, 2024 | IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM… | |||
| CVE-2023-43043 | 0.00 | — | 0.00 | Mar 13, 2024 | IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875. | |||
| CVE-2023-38723 | 0.00 | — | 0.00 | Mar 13, 2024 | IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. … | |||
| CVE-2023-32332 | 0.00 | — | 0.00 | Sep 8, 2023 | IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the… |
- risk 0.28cvss 4.3epss 0.00
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie…
- risk 0.26cvss 4.0epss 0.00
IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files.
- CVE-2025-36386Oct 28, 2025risk 0.00cvss —epss 0.01
IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
- CVE-2025-2898May 6, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 9.0 could allow an attacker with some level of access to elevate their privileges due to a security configuration vulnerability in Role-Based Access Control (RBAC) configurations.
- CVE-2023-43037Apr 10, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated user to perform unauthorized actions due to improper input validation.
- CVE-2025-1500Apr 5, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.
- CVE-2024-35150Jan 25, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 8.10.12, 8.11.0, 9.0.1, and 9.1.0 - Monitor Component does not neutralize output that is written to logs, which could allow an attacker to inject false log entries.
- CVE-2024-35148Jan 25, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 8.10.10, 8.11.7, and 9.0 - Monitor Component is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
- CVE-2024-35144Jan 25, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system.
- CVE-2024-35145Jan 25, 2025risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 9.0.0 - Monitor Component is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials…
- CVE-2024-35146Nov 6, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading…
- CVE-2024-38314Oct 24, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment.
- CVE-2024-37068Sep 7, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques.
- CVE-2024-22333Jun 13, 2024risk 0.00cvss —epss 0.00
IBM Maximo Asset Management 7.6.1.3 and IBM Maximo Application Suite 8.10 and 8.11 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 279973.
- CVE-2024-22328Apr 6, 2024risk 0.00cvss —epss 0.01
IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 279950.
- CVE-2024-27266Mar 14, 2024risk 0.00cvss —epss 0.01
IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.
- CVE-2023-32335Mar 13, 2024risk 0.00cvss —epss 0.01
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM…
- CVE-2023-43043Mar 13, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875.
- CVE-2023-38723Mar 13, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. …
- CVE-2023-32332Sep 8, 2023risk 0.00cvss —epss 0.00
IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the…
Page 1 of 2