Vendor CVEs
IBM
All CVEs
8,265 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-41761 | 0.00 | — | 0.00 | Nov 23, 2024 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | |||
| CVE-2024-41779 | 0.00 | — | 0.01 | Nov 22, 2024 | IBM Engineering Systems Design Rhapsody - Model Manager 7.0.2 and 7.0.3 could allow a remote attacker to bypass security restrictions, caused by a race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to remotely execute code. | |||
| CVE-2024-41781 | 0.00 | — | 0.00 | Nov 22, 2024 | IBM PowerVM Platform KeyStore (IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1030.00 through FW1030.60, FW1050.00 through FW1050.20, and FW1060.00 through FW1060.10 functionality can be compromised if an attacker gains service access to the HMC. An attacker that gains… | |||
| CVE-2024-45663 | 0.00 | — | 0.01 | Nov 21, 2024 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1, 11.5, and 12.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | |||
| CVE-2024-52359 | 0.00 | — | 0.00 | Nov 19, 2024 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls. | |||
| CVE-2024-52360 | 0.00 | — | 0.00 | Nov 19, 2024 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | |||
| CVE-2024-37070 | 0.00 | — | 0.00 | Nov 19, 2024 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system. | |||
| CVE-2024-39726 | 0.00 | — | 0.01 | Nov 15, 2024 | IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||
| CVE-2024-41784 | 0.00 | — | 0.01 | Nov 15, 2024 | IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, and 6.1.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot dot" sequences (/.../) to view arbitrary files on the system. | |||
| CVE-2024-43189 | 0.00 | — | 0.00 | Nov 15, 2024 | IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle… | |||
| CVE-2024-41785 | 0.00 | — | 0.00 | Nov 15, 2024 | IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2024-45642 | 0.00 | — | 0.00 | Nov 14, 2024 | IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||
| CVE-2024-45099 | 0.00 | — | 0.00 | Nov 14, 2024 | IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||
| CVE-2024-45670 | 0.00 | — | 0.00 | Nov 14, 2024 | IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism. | |||
| CVE-2024-45087 | 0.00 | — | 0.00 | Nov 11, 2024 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2024-45088 | 0.00 | — | 0.00 | Nov 11, 2024 | IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2024-35146 | 0.00 | — | 0.00 | Nov 6, 2024 | IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading… | |||
| CVE-2024-45086 | 0.00 | — | 0.00 | Nov 4, 2024 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources. | |||
| CVE-2024-41744 | 0.00 | — | 0.00 | Nov 1, 2024 | IBM CICS TX Standard 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||
| CVE-2024-41745 | 0.00 | — | 0.00 | Nov 1, 2024 | IBM CICS TX Standard is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||
| CVE-2024-41741 | 0.00 | — | 0.00 | Nov 1, 2024 | IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system. | |||
| CVE-2024-41738 | 0.00 | — | 0.00 | Nov 1, 2024 | IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques. | |||
| CVE-2024-30149 | 0.00 | — | 0.00 | Oct 31, 2024 | HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable. | |||
| CVE-2024-45656 | 0.00 | — | 0.00 | Oct 29, 2024 | IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | |||
| CVE-2024-30106 | 0.00 | — | 0.00 | Oct 28, 2024 | HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data. | |||
| CVE-2024-38314 | 0.00 | — | 0.00 | Oct 24, 2024 | IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment. | |||
| CVE-2023-50310 | 0.00 | — | 0.00 | Oct 23, 2024 | IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. | |||
| CVE-2024-31880 | 0.00 | — | 0.00 | Oct 23, 2024 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user. | |||
| CVE-2024-43177 | 0.00 | — | 0.00 | Oct 22, 2024 | IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute. | |||
| CVE-2024-43173 | 0.00 | — | 0.00 | Oct 22, 2024 | IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute. | |||
| CVE-2024-45071 | 0.00 | — | 0.00 | Oct 16, 2024 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2024-45072 | 0.00 | — | 0.00 | Oct 16, 2024 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources. | |||
| CVE-2024-49340 | 0.00 | — | 0.00 | Oct 15, 2024 | IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||
| CVE-2024-45085 | 0.00 | — | 0.01 | Oct 15, 2024 | IBM WebSphere Application Server 8.5 is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service. | |||
| CVE-2024-45073 | 0.00 | — | 0.00 | Sep 30, 2024 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2024-43191 | 0.00 | — | 0.01 | Sep 26, 2024 | IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request. | |||
| CVE-2024-31899 | 0.00 | — | 0.00 | Sep 26, 2024 | IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device. | |||
| CVE-2023-46175 | 0.00 | — | 0.00 | Sep 26, 2024 | IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8 stores user credentials in a log file plain clear text which can be read by a privileged user. | |||
| CVE-2024-38324 | 0.00 | — | 0.00 | Sep 24, 2024 | IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system. | |||
| CVE-2021-38963 | 0.00 | — | 0.01 | Sep 24, 2024 | IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute… | |||
| CVE-2022-43845 | 0.00 | — | 0.00 | Sep 24, 2024 | IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. | |||
| CVE-2024-40703 | 0.00 | — | 0.00 | Sep 22, 2024 | IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to… | |||
| CVE-2024-43188 | 0.00 | — | 0.00 | Sep 18, 2024 | IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation. | |||
| CVE-2024-38315 | 0.00 | — | 0.00 | Sep 16, 2024 | IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | |||
| CVE-2024-43180 | 0.00 | — | 0.00 | Sep 13, 2024 | IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and… | |||
| CVE-2024-27257 | 0.00 | — | 0.00 | Sep 10, 2024 | IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users. | |||
| CVE-2024-40681 | 0.00 | — | 0.00 | Sep 7, 2024 | IBM MQ 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager. | |||
| CVE-2024-40680 | 0.00 | — | 0.00 | Sep 7, 2024 | IBM MQ 9.3 CD and 9.4 LTS/CD could allow a local user to cause a denial of service due to improper memory allocation causing a segmentation fault. | |||
| CVE-2024-37068 | 0.00 | — | 0.00 | Sep 7, 2024 | IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques. | |||
| CVE-2024-45097 | 0.00 | — | 0.00 | Sep 5, 2024 | IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. |
- CVE-2024-41761Nov 23, 2024risk 0.00cvss —epss 0.00
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
- CVE-2024-41779Nov 22, 2024risk 0.00cvss —epss 0.01
IBM Engineering Systems Design Rhapsody - Model Manager 7.0.2 and 7.0.3 could allow a remote attacker to bypass security restrictions, caused by a race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to remotely execute code.
- CVE-2024-41781Nov 22, 2024risk 0.00cvss —epss 0.00
IBM PowerVM Platform KeyStore (IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1030.00 through FW1030.60, FW1050.00 through FW1050.20, and FW1060.00 through FW1060.10 functionality can be compromised if an attacker gains service access to the HMC. An attacker that gains…
- CVE-2024-45663Nov 21, 2024risk 0.00cvss —epss 0.01
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1, 11.5, and 12.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
- CVE-2024-52359Nov 19, 2024risk 0.00cvss —epss 0.00
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls.
- CVE-2024-52360Nov 19, 2024risk 0.00cvss —epss 0.00
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
- CVE-2024-37070Nov 19, 2024risk 0.00cvss —epss 0.00
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system.
- CVE-2024-39726Nov 15, 2024risk 0.00cvss —epss 0.01
IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
- CVE-2024-41784Nov 15, 2024risk 0.00cvss —epss 0.01
IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, and 6.1.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot dot" sequences (/.../) to view arbitrary files on the system.
- CVE-2024-43189Nov 15, 2024risk 0.00cvss —epss 0.00
IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle…
- CVE-2024-41785Nov 15, 2024risk 0.00cvss —epss 0.00
IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2024-45642Nov 14, 2024risk 0.00cvss —epss 0.00
IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
- CVE-2024-45099Nov 14, 2024risk 0.00cvss —epss 0.00
IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
- CVE-2024-45670Nov 14, 2024risk 0.00cvss —epss 0.00
IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism.
- CVE-2024-45087Nov 11, 2024risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2024-45088Nov 11, 2024risk 0.00cvss —epss 0.00
IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2024-35146Nov 6, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading…
- CVE-2024-45086Nov 4, 2024risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
- CVE-2024-41744Nov 1, 2024risk 0.00cvss —epss 0.00
IBM CICS TX Standard 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2024-41745Nov 1, 2024risk 0.00cvss —epss 0.00
IBM CICS TX Standard is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
- CVE-2024-41741Nov 1, 2024risk 0.00cvss —epss 0.00
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system.
- CVE-2024-41738Nov 1, 2024risk 0.00cvss —epss 0.00
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
- CVE-2024-30149Oct 31, 2024risk 0.00cvss —epss 0.00
HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable.
- CVE-2024-45656Oct 29, 2024risk 0.00cvss —epss 0.00
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.
- CVE-2024-30106Oct 28, 2024risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.
- CVE-2024-38314Oct 24, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment.
- CVE-2023-50310Oct 23, 2024risk 0.00cvss —epss 0.00
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- CVE-2024-31880Oct 23, 2024risk 0.00cvss —epss 0.00
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user.
- CVE-2024-43177Oct 22, 2024risk 0.00cvss —epss 0.00
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
- CVE-2024-43173Oct 22, 2024risk 0.00cvss —epss 0.00
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
- CVE-2024-45071Oct 16, 2024risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2024-45072Oct 16, 2024risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
- CVE-2024-49340Oct 15, 2024risk 0.00cvss —epss 0.00
IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2024-45085Oct 15, 2024risk 0.00cvss —epss 0.01
IBM WebSphere Application Server 8.5 is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service.
- CVE-2024-45073Sep 30, 2024risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2024-43191Sep 26, 2024risk 0.00cvss —epss 0.01
IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request.
- CVE-2024-31899Sep 26, 2024risk 0.00cvss —epss 0.00
IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.
- CVE-2023-46175Sep 26, 2024risk 0.00cvss —epss 0.00
IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8 stores user credentials in a log file plain clear text which can be read by a privileged user.
- CVE-2024-38324Sep 24, 2024risk 0.00cvss —epss 0.00
IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.
- CVE-2021-38963Sep 24, 2024risk 0.00cvss —epss 0.01
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute…
- CVE-2022-43845Sep 24, 2024risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
- CVE-2024-40703Sep 22, 2024risk 0.00cvss —epss 0.00
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to…
- CVE-2024-43188Sep 18, 2024risk 0.00cvss —epss 0.00
IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation.
- CVE-2024-38315Sep 16, 2024risk 0.00cvss —epss 0.00
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
- CVE-2024-43180Sep 13, 2024risk 0.00cvss —epss 0.00
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and…
- CVE-2024-27257Sep 10, 2024risk 0.00cvss —epss 0.00
IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users.
- CVE-2024-40681Sep 7, 2024risk 0.00cvss —epss 0.00
IBM MQ 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager.
- CVE-2024-40680Sep 7, 2024risk 0.00cvss —epss 0.00
IBM MQ 9.3 CD and 9.4 LTS/CD could allow a local user to cause a denial of service due to improper memory allocation causing a segmentation fault.
- CVE-2024-37068Sep 7, 2024risk 0.00cvss —epss 0.00
IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques.
- CVE-2024-45097Sep 5, 2024risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.
Page 112 of 166