IBM
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any IBM product.
RSS Feeds for IBM security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by IBM Sorted by Most Security Vulnerabilities since 2018
Known Exploited IBM Vulnerabilities
The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| IBM Aspera Faspex Code Execution Vulnerability |
IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. CVE-2022-47986 Exploit Probability: 94.3% |
February 21, 2023 |
| IBM InfoSphere BigInsights Invalid Input Vulnerability |
Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. CVE-2013-3993 Exploit Probability: 13.2% |
May 25, 2022 |
| IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. |
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands CVE-2015-7450 Exploit Probability: 94.1% |
January 10, 2022 |
| IBM Data Risk Manager Arbritary File Download |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. CVE-2020-4430 Exploit Probability: 55.2% |
November 3, 2021 |
| IBM Data Risk Manager Authentication Bypass |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. CVE-2020-4427 Exploit Probability: 49.2% |
November 3, 2021 |
| IBM Data Risk Manager Command Injection |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. CVE-2020-4428 Exploit Probability: 48.3% |
November 3, 2021 |
| IBM Planning Analytics configuration overwrite vulnerability |
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. CVE-2019-4716 Exploit Probability: 77.0% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited IBM vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 129 vulnerabilities in IBM with an average score of 6.2 out of ten. Last year, in 2024 IBM had 454 security vulnerabilities published. Right now, IBM is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.25
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 129 | 6.15 |
| 2024 | 454 | 6.40 |
| 2023 | 242 | 6.92 |
| 2022 | 285 | 6.37 |
| 2021 | 377 | 6.07 |
| 2020 | 340 | 6.23 |
| 2019 | 439 | 6.09 |
| 2018 | 315 | 6.35 |
It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Security Vulnerabilities
IBM Cognos Analytics 11.2.0
CVE-2025-0917
4.8 - Medium
- June 11, 2025
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server
CVE-2025-0923
5.3 - Medium
- June 11, 2025
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.
Inclusion of Sensitive Information in Source Code
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 could allow an authenticated user to cause a denial of service by sending a specially crafted request
CVE-2025-25032
7.5 - High
- June 11, 2025
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 could allow an authenticated user to cause a denial of service by sending a specially crafted request that would exhaust memory resources.
Allocation of Resources Without Limits or Throttling
IBM InfoSphere Information Server 11.7 stores credential information for database authentication in a cleartext parameter file
CVE-2025-1499
6.5 - Medium
- June 01, 2025
IBM InfoSphere Information Server 11.7 stores credential information for database authentication in a cleartext parameter file that could be viewed by an authenticated user.
Cleartext Storage of Sensitive Information
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting
CVE-2025-25044
5.4 - Medium
- June 01, 2025
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting
CVE-2025-2896
5.4 - Medium
- June 01, 2025
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Planning Analytics Local 2.0 and 2.1 could
CVE-2025-33004
6.5 - Medium
- June 01, 2025
IBM Planning Analytics Local 2.0 and 2.1 could allow a privileged user to delete files from directories due to improper pathname restriction.
Directory traversal
IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could
CVE-2025-33005
8.8 - High
- June 01, 2025
IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
Insufficient Session Expiration
IBM Db2 for Linux
CVE-2024-49350
7.5 - High
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Memory Corruption
IBM Db2 for Linux
CVE-2025-2518
7.5 - High
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Exhaustion
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could
CVE-2025-3050
6.5 - Medium
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service when using Q replication due to the improper allocation of CPU resources.
Allocation of Resources Without Limits or Throttling
IBM Sterling Secure Proxy 6.2.0.0 through 6.2.0.1 could allow a remote attacker to traverse directories on the system
CVE-2024-51453
7.5 - High
- May 28, 2025
IBM Sterling Secure Proxy 6.2.0.0 through 6.2.0.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Directory traversal
IBM Sterling Secure Proxy 6.0.0.0 through 6.0.3.1, 6.1.0.0 through 6.1.0.0, and 6.2.0.0 through 6.2.0.1 uses weaker than expected cryptographic algorithms
CVE-2024-38341
7.5 - High
- May 28, 2025
IBM Sterling Secure Proxy 6.0.0.0 through 6.0.3.1, 6.1.0.0 through 6.1.0.0, and 6.2.0.0 through 6.2.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Inadequate Encryption Strength
IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could
CVE-2025-3357
9.8 - Critical
- May 28, 2025
IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to improper validation of an index value of a dynamically allocated array.
out-of-bounds array index
IBM Security Guardium 12.0 could
CVE-2025-25025
5.3 - Medium
- May 28, 2025
IBM Security Guardium 12.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Security Guardium 12.0 could
CVE-2025-25026
4.3 - Medium
- May 28, 2025
IBM Security Guardium 12.0 could allow an authenticated user to obtain sensitive information due to an incorrect authentication check.
AuthZ
IBM Security Guardium 12.0 could
CVE-2025-25029
6.5 - Medium
- May 28, 2025
IBM Security Guardium 12.0 could allow a privileged user to download any file on the system due to improper escaping of input.
Output Sanitization
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials
CVE-2025-33079
6.5 - Medium
- May 27, 2025
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
Insufficiently Protected Credentials
IBM Aspera Faspex 5.0.0 through 5.0.12 could
CVE-2025-33136
8.8 - High
- May 22, 2025
IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.
MAID
IBM Aspera Faspex 5.0.0 through 5.0.12 could
CVE-2025-33137
8.8 - High
- May 22, 2025
IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security.
Client-Side Enforcement of Server-Side Security
IBM Aspera Faspex 5.0.0 through 5.0.12 is vulnerable to HTML injection
CVE-2025-33138
6.1 - Medium
- May 22, 2025
IBM Aspera Faspex 5.0.0 through 5.0.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
XSS
IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability
CVE-2025-33103
8.8 - High
- May 17, 2025
IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system.
Execution with Unnecessary Privileges
IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection
CVE-2024-51475
6.1 - Medium
- May 16, 2025
IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
XSS
IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user
CVE-2025-1138
4.3 - Medium
- May 15, 2025
IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing.
Exposure of Information Through Directory Listing
IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting
CVE-2025-3440
5.5 - Medium
- May 15, 2025
IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could
CVE-2025-1329
7.8 - High
- May 08, 2025
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to failure to handle DNS return requests by the gethostbyaddr function.
Memory Corruption
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could
CVE-2025-1330
7.8 - High
- May 08, 2025
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to failure to handle DNS return requests by the gethostbyname function.
Memory Corruption
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could
CVE-2025-1331
7.8 - High
- May 08, 2025
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the gets function.
Use of Inherently Dangerous Function
IBM Maximo Application Suite 9.0 could
CVE-2025-2898
8.8 - High
- May 06, 2025
IBM Maximo Application Suite 9.0 could allow an attacker with some level of access to elevate their privileges due to a security configuration vulnerability in Role-Based Access Control (RBAC) configurations.
Incorrect Privilege Assignment
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1
could
CVE-2025-1493
5.3 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service due to concurrent execution of shared resources.
Race Condition
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1
could
CVE-2025-1000
6.5 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service when connecting to a z/OS database due to improper handling of automatic client rerouting.
Allocation of Resources Without Limits or Throttling
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1
under specific configurations could
CVE-2025-0915
6.5 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 under specific configurations could allow an authenticated user to cause a denial of service due to insufficient release of allocated memory resources.
Allocation of Resources Without Limits or Throttling
IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, and 9.0.0.1 is vulnerable to cross-site scripting
CVE-2025-1551
6.1 - Medium
- April 29, 2025
IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, and 9.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Aspera Console 3.4.0 through 3.4.4
is vulnerable to an XPath injection vulnerability, which could
CVE-2022-43840
4.3 - Medium
- April 14, 2025
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.
IBM Security Guardium 11.4 and 12.1 could
CVE-2025-25023
4.9 - Medium
- April 09, 2025
IBM Security Guardium 11.4 and 12.1 could allow a privileged user to read any file on the system due to incorrect privilege assignment.
Incorrect Privilege Assignment
IBM App Connect Enterprise Certified Container 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, and 12.8 could
CVE-2024-52362
6.5 - Medium
- March 12, 2025
IBM App Connect Enterprise Certified Container 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, and 12.8 could allow an authenticated user to cause a denial of service in the App Connect flow due to improper validation of server-side input.
Improper Validation of Syntactic Correctness of Input
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site scripting
CVE-2024-56338
4.8 - Medium
- March 11, 2025
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Control Center 6.2.1 through 6.3.1 is vulnerable to an external service interaction attack
CVE-2023-43052
5.3 - Medium
- March 07, 2025
IBM Control Center 6.2.1 through 6.3.1 is vulnerable to an external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with.
Interaction Error
IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers
CVE-2023-35894
6.1 - Medium
- March 07, 2025
IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Output Sanitization
IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data
CVE-2025-0162
7.1 - High
- March 07, 2025
IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could
CVE-2024-43169
6.5 - Medium
- March 03, 2025
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code.
Download of Code Without Integrity Check
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could
CVE-2024-41771
7.5 - High
- March 03, 2025
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information.
Insufficiently Protected Credentials
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could
CVE-2024-41770
7.5 - High
- March 03, 2025
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information.
Insufficiently Protected Credentials
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD
could
CVE-2024-54175
5.5 - Medium
- February 28, 2025
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow a local user to cause a denial of service due to an improper check for unusual or exceptional conditions.
Improper Check for Unusual or Exceptional Conditions
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD
stores potentially sensitive information in environment variables
CVE-2025-0985
5.5 - Medium
- February 28, 2025
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD stores potentially sensitive information in environment variables that could be obtained by a local user.
Exposure of Sensitive Information Through Environmental Variables
IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration files
CVE-2024-45673
- February 21, 2025
IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration files which can be read by a local user.
Password in Configuration File
Qiskit SDK 0.45.0 through 1.2.4 could
CVE-2025-1403
- February 21, 2025
Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library.
Marshaling, Unmarshaling
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages
could
CVE-2024-49779
8.8 - High
- February 20, 2025
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to bypass security restrictions, caused by improper validation and management of authentication cookies. By modifying the CSRF token and Session Id cookie parameters using the cookies of another user, a remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the vulnerable application.
Session Riding
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data
CVE-2024-49781
7.1 - High
- February 20, 2025
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages
with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat
CVE-2024-49344
4.3 - Medium
- February 20, 2025
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout.
Session Fixation