IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

 

IBM Aix108 vulnerabilities

 
 

IBM Rational Quality Manager93 vulnerabilities

 

IBM Sterling B2b Integrator70 vulnerabilities

 

IBM Cognos Analytics70 vulnerabilities

 

IBM Api Connect67 vulnerabilities

 

IBM Maximo Asset Management61 vulnerabilities

 

IBM Vios61 vulnerabilities

 

IBM Rational Team Concert56 vulnerabilities

 
 
 

IBM Security Verify Access46 vulnerabilities

 

IBM Security Access Manager37 vulnerabilities

 

IBM Spectrum Scale36 vulnerabilities

 

IBM Security Guardium35 vulnerabilities

 

IBM Datapower Gateway34 vulnerabilities

 

IBM Business Process Manager31 vulnerabilities

 

IBM I31 vulnerabilities

 
 

IBM Mq Appliance30 vulnerabilities

 
 

IBM Cloud Pak For Security29 vulnerabilities

 

IBM Planning Analytics28 vulnerabilities

 

IBM Urbancode Deploy27 vulnerabilities

 
 

IBM Db224 vulnerabilities

 

IBM Spectrum Protect Plus23 vulnerabilities

 

IBM Rhapsody Model Manager23 vulnerabilities

 
 

IBM Robotic Process Automation21 vulnerabilities

 

IBM Cics Tx21 vulnerabilities

 

IBM Mq21 vulnerabilities

 
 
 

IBM Maximo Application Suite18 vulnerabilities

 

IBM Websphere Mq18 vulnerabilities

 

IBM Content Navigator17 vulnerabilities

 

IBM Jazz Reporting Service16 vulnerabilities

 

IBM Security Directory Server16 vulnerabilities

 

IBM Planning Analytics Local16 vulnerabilities

 
 

IBM Guardium Data Encryption16 vulnerabilities

 

IBM Security Identity Manager15 vulnerabilities

 
 

IBM Powersc13 vulnerabilities

 

IBM Datacap13 vulnerabilities

 

IBM Informix Dynamic Server13 vulnerabilities

 

IBM Sterling Secure Proxy12 vulnerabilities

 

IBM Cloud Pak System12 vulnerabilities

 

IBM Qradar Suite11 vulnerabilities

 
 

IBM Security Verify Governance11 vulnerabilities

 

IBM Powervm Hypervisor10 vulnerabilities

 
 
 
 
 

IBM Aspera Faspex9 vulnerabilities

 
 

IBM Filenet Content Manager9 vulnerabilities

 

IBM Notes9 vulnerabilities

 

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. CVE-2022-47986 February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. CVE-2013-3993 May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands CVE-2015-7450 January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. CVE-2020-4430 November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. CVE-2020-4427 November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. CVE-2020-4428 November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. CVE-2019-4716 November 3, 2021

By the Year

In 2024 there have been 271 vulnerabilities in IBM with an average score of 6.4 out of ten. Last year IBM had 233 security vulnerabilities published. That is, 38 more vulnerabilities have already been reported in 2024 as compared to last year. Last year, the average CVE base score was greater by 0.48

Year Vulnerabilities Average Score
2024 271 6.45
2023 233 6.93
2022 267 6.38
2021 377 6.07
2020 340 6.23
2019 439 6.09
2018 307 6.37

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

IBM Db2 Denial of Service via Specially Crafted Query

CVE-2024-41762 5.3 - Medium - December 07, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.

Stack Exhaustion

IBM AIX and VIOS Local Command Execution Vulnerability

CVE-2024-47115 7.8 - High - December 07, 2024

IBM AIX 7.2, 7.3 and VIOS 3.1 and 4.1 could allow a local user to execute arbitrary commands on the system due to improper neutralization of input.

Shell injection

IBM Db2 Memory Allocation Denial of Service Vulnerability

CVE-2024-37071 5.3 - Medium - December 07, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow an authenticated user to cause a denial of service with a specially crafted query due to improper memory allocation.

Stack Exhaustion

IBM App Connect Enterprise Certified Container: Remote Command Execution Vulnerability

CVE-2024-51465 8.8 - High - December 04, 2024

IBM App Connect Enterprise Certified Container 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, and 12.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Shell injection

IBM Security Verify Access Appliance Remote Command Execution Vulnerability

CVE-2024-49803 9.8 - Critical - November 29, 2024

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Shell injection

IBM Security Verify Access Appliance Privilege Escalation Vulnerability

CVE-2024-49804 7.8 - High - November 29, 2024

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a locally authenticated non-administrative user to escalate their privileges due to unnecessary permissions used to perform certain tasks.

Execution with Unnecessary Privileges

IBM Security Verify Access Appliance Hard-Coded Credentials Vulnerability

CVE-2024-49805 9.4 - Critical - November 29, 2024

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Use of Hard-coded Credentials

IBM Security Verify Access Appliance Hard-Coded Credentials Vulnerability

CVE-2024-49806 9.4 - Critical - November 29, 2024

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Use of Hard-coded Credentials

IBM Watson Query and Db2 Big SQL Insufficient Session Expiration Vulnerability

CVE-2024-35160 6.5 - Medium - November 23, 2024

IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.

Insufficient Session Expiration

IBM Db2 Denial of Service via Specially Crafted Query

CVE-2024-41761 5.3 - Medium - November 23, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.

Stack Exhaustion

IBM Db2 Denial of Service via Specially Crafted Query

CVE-2024-45663 6.5 - Medium - November 21, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2024-39726 8.2 - High - November 15, 2024

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

XXE

IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, and 6.1.0.0 could

CVE-2024-41784 7.5 - High - November 15, 2024

IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, and 6.1.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot dot" sequences (/.../) to view arbitrary files on the system.

Directory traversal

IBM Security ReaQta 3.12 Cross-Site Scripting Vulnerability in Web UI

CVE-2024-45099 4.8 - Medium - November 14, 2024

IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Security ReaQta 3.12 Cross-Site Scripting Vulnerability in Web UI

CVE-2024-45642 5.3 - Medium - November 14, 2024

IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Permissive Cross-domain Policy with Untrusted Domains

IBM Security SOAR Weak Password Recovery Mechanism Vulnerability

CVE-2024-45670 8.1 - High - November 14, 2024

IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism.

Weak Password Recovery Mechanism for Forgotten Password

IBM WebSphere Application Server 8.5/9.0 XSS Vulnerability in Web UI

CVE-2024-45087 4.8 - Medium - November 11, 2024

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

Stored XSS Vulnerability in IBM Maximo Asset Management 7.6.1.3 Web UI

CVE-2024-45088 5.4 - Medium - November 11, 2024

IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Maximo Suite XSS in Monitor Component

CVE-2024-35146 5.4 - Medium - November 06, 2024

IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM WebSphere XXE Injection Vulnerability

CVE-2024-45086 5.5 - Medium - November 04, 2024

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.

XXE

IBM TXSeries for Multiplatforms 10.1 HTTP GET Query String Information Disclosure Vulnerability

CVE-2024-41738 5.9 - Medium - November 01, 2024

IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.

Use of GET Request Method With Sensitive Query Strings

IBM TXSeries for Multiplatforms 10.1 Username Enumeration Timing Attack Vulnerability

CVE-2024-41741 5.3 - Medium - November 01, 2024

IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system.

Side Channel Attack

IBM CICS TX Standard: Cross-Site Scripting Vulnerability in Web UI

CVE-2024-41745 6.1 - Medium - November 01, 2024

IBM CICS TX Standard is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method

CVE-2023-50310 7.5 - High - October 23, 2024

IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Insufficiently Protected Credentials

IBM Db2 for Linux

CVE-2024-31880 6.5 - Medium - October 23, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user.

Allocation of Resources Without Limits or Throttling

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks

CVE-2024-43177 9.8 - Critical - October 22, 2024

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.

Improper Certificate Validation

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks

CVE-2024-43173 3.7 - Low - October 22, 2024

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.

Sensitive Cookie with Improper SameSite Attribute

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2024-45072 5.5 - Medium - October 16, 2024

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.

XXE

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting

CVE-2024-45071 4.8 - Medium - October 16, 2024

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2024-49340 8.8 - High - October 16, 2024

IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Session Riding

IBM WebSphere Application Server 8.5 is vulnerable to a denial of service

CVE-2024-45085 7.5 - High - October 15, 2024

IBM WebSphere Application Server 8.5 is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service.

Improper Check for Unusual or Exceptional Conditions

IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations

CVE-2024-38324 6.5 - Medium - September 25, 2024

IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.

Improper Certificate Validation

IBM Aspera Console 3.4.0 through 3.4.4 could

CVE-2022-43845 7.5 - High - September 25, 2024

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.

Incorrect Permission Assignment for Critical Resource

IBM Aspera Console 3.4.0 through 3.4.4 could

CVE-2021-38963 8 - High - September 25, 2024

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CSV Injection

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could

CVE-2024-40703 5.5 - Medium - September 22, 2024

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications.

Insufficiently Protected Credentials

IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could

CVE-2024-43188 4.9 - Medium - September 18, 2024

IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation.

Client-Side Enforcement of Server-Side Security

IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could

CVE-2024-38315 6.5 - Medium - September 16, 2024

IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

Insufficient Session Expiration

IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies

CVE-2024-43180 4.3 - Medium - September 13, 2024

IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Cleartext Transmission of Sensitive Information

IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users.

CVE-2024-27257 4.3 - Medium - September 10, 2024

IBM OpenPages 8.3 and 9.0 potentially exposes information about client-side source code through use of JavaScript source maps to unauthorized users.

Inclusion of Sensitive Information in Source Code

IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms

CVE-2024-37068 7.5 - High - September 07, 2024

IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques.

Use of a Broken or Risky Cryptographic Algorithm

IBM MQ 9.3 CD and 9.4 LTS/CD could

CVE-2024-40680 5.5 - Medium - September 07, 2024

IBM MQ 9.3 CD and 9.4 LTS/CD could allow a local user to cause a denial of service due to improper memory allocation causing a segmentation fault.

Allocation of Resources Without Limits or Throttling

IBM Aspera Faspex 5.0.0 through 5.0.9 could

CVE-2024-45098 8.1 - High - September 05, 2024

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.

IBM Aspera Faspex 5.0.0 through 5.0.9 could

CVE-2024-45097 7.1 - High - September 05, 2024

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.

Interpretation Conflict

IBM Aspera Faspex 5.0.0 through 5.0.9 could

CVE-2024-45096 6.5 - Medium - September 05, 2024

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing.

Exposure of Information Through Directory Listing

IBM webMethods Integration 10.15 could

CVE-2024-45076 9.9 - Critical - September 04, 2024

IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.

Unrestricted File Upload

IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks

CVE-2024-45075 8.8 - High - September 04, 2024

IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication.

Use of Single-factor Authentication

IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system

CVE-2024-45074 6.5 - Medium - September 04, 2024

IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Directory traversal

IBM Sterling Connect:Direct Web Services 6.0

CVE-2024-39747 9.8 - Critical - August 31, 2024

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses default credentials for potentially critical functionality.

1392

IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could

CVE-2024-35133 8.2 - High - August 29, 2024

IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

Open Redirect

IBM MaaS360 for Android 6.31 through 8.60 is using hard coded credentials

CVE-2024-35118 4.6 - Medium - August 29, 2024

IBM MaaS360 for Android 6.31 through 8.60 is using hard coded credentials that can be obtained by a user with physical access to the device.

Use of Hard-coded Credentials

IBM App Connect Enterprise Certified Container 5.0

CVE-2022-43915 8.1 - High - August 24, 2024

IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with privileged access to execute commands in a running Pod to elevate their user privileges.

Incorrect Permission Assignment for Critical Resource

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 could

CVE-2024-39746 5.9 - Medium - August 22, 2024

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

Missing Encryption of Sensitive Data

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses weaker than expected cryptographic algorithms

CVE-2024-39745 7.5 - High - August 22, 2024

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Use of a Broken or Risky Cryptographic Algorithm

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2024-39744 4.3 - Medium - August 22, 2024

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Session Riding

IBM OpenPages with Watson 8.3 and 9.0 could

CVE-2024-35151 6.5 - Medium - August 22, 2024

IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.

Missing Authentication for Critical Function

IBM Global Configuration Management 7.0.2 and 7.0.3 could

CVE-2024-41773 6.5 - Medium - August 20, 2024

IBM Global Configuration Management 7.0.2 and 7.0.3 could allow an authenticated user to archive a global baseline due to improper access controls.

Incorrect Ownership Assignment

IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could

CVE-2023-47728 6.5 - Medium - August 16, 2024

IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the request. This information could be used in further attacks against the system. IBM X-Force ID: 272201.

Generation of Error Message Containing Sensitive Information

IBM Security Directory Integrator 7.2.0 and Security Verify Directory Integrator 10.0.0 does not perform any authentication for functionality

CVE-2022-33162 9.8 - Critical - August 16, 2024

IBM Security Directory Integrator 7.2.0 and Security Verify Directory Integrator 10.0.0 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources, at the privilege level of a standard unprivileged user. IBM X-Force ID: 228570.

Buffer Overflow

IBM QRadar Network Packet Capture 7.5 could

CVE-2024-31905 5.9 - Medium - August 15, 2024

IBM QRadar Network Packet Capture 7.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 289858.

Missing Encryption of Sensitive Data

IBM InfoSphere Information Server could allow an authenticated user to consume file space resources due to unrestricted file uploads

CVE-2024-40705 6.5 - Medium - August 15, 2024

IBM InfoSphere Information Server could allow an authenticated user to consume file space resources due to unrestricted file uploads. IBM X-Force ID: 298279.

Amplification

IBM InfoSphere Information Server 11.7 could allow a privileged user to obtain sensitive information from authentication request headers

CVE-2024-40704 4.9 - Medium - August 15, 2024

IBM InfoSphere Information Server 11.7 could allow a privileged user to obtain sensitive information from authentication request headers. IBM X-Force ID: 298277.

Insufficiently Protected Credentials

IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text

CVE-2024-25024 5.5 - Medium - August 15, 2024

IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 281430.

Cleartext Storage of Sensitive Information

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 could

CVE-2024-37529 6.5 - Medium - August 14, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 could allow an authenticated user to cause a denial of service with a specially crafted query due to improper memory allocation. IBM X-Force ID: 294295.

Stack Exhaustion

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could

CVE-2024-35152 6.5 - Medium - August 14, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to cause a denial of service with a specially crafted query due to improper memory allocation. IBM X-Force ID: 292639.

Stack Exhaustion

IBM Db2 for Linux

CVE-2024-35136 6.5 - Medium - August 14, 2024

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain non default conditions. IBM X-Force ID: 291307.

Improper Neutralization of Special Elements in Data Query Logic

IBM Db2 for Linux

CVE-2024-31882 6.5 - Medium - August 14, 2024

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific non default configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user. IBM X-Force ID: 287614.

Injection

IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could

CVE-2023-50314 7.5 - High - August 14, 2024

IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.

IBM WebSphere Application Server 8.5 and 9.0 could allow an attacker with access to the network to conduct spoofing attacks

CVE-2023-50315 5.9 - Medium - August 14, 2024

IBM WebSphere Application Server 8.5 and 9.0 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274714.

Improper Certificate Validation

The Object Request Broker (ORB) in IBM SDK

CVE-2024-27267 5.9 - Medium - August 14, 2024

The Object Request Broker (ORB) in IBM SDK, Java Technology Edition 7.1.0.0 through 7.1.5.18 and 8.0.0.0 through 8.0.8.26 is vulnerable to remote denial of service, caused by a race condition in the management of ORB listener threads. IBM X-Force ID: 284573.

Man-in-the-Middle / MITM

IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 displays sensitive data improperly to a local privileged user, in non default configurations, during back-end commands

CVE-2024-28799 7.5 - High - August 14, 2024

IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 displays sensitive data improperly to a local privileged user, in non default configurations, during back-end commands which may result in the unexpected disclosure of this information. IBM X-Force ID: 287173.

Invocation of Process Using Visible Sensitive Information

A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management

CVE-2024-35124 7.5 - High - August 13, 2024

A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BMC. IBM X-Force ID: 290674.

Missing Authentication for Critical Function

IBM Common Licensing 9.0 is vulnerable to stored cross-site scripting

CVE-2024-41774 4.8 - Medium - August 13, 2024

IBM Common Licensing 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 350348.

XSS

IBM Common Licensing 9.0 does not require

CVE-2024-40697 7.5 - High - August 13, 2024

IBM Common Licensing 9.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 297895.

Weak Password Requirements

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could

CVE-2022-38382 4.1 - Medium - August 13, 2024

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672.

Insufficient Session Expiration

IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a password change which could

CVE-2023-38018 5.4 - Medium - August 12, 2024

IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 260574.

Session Fixation

IBM InfoSphere Information Server 11.7 could

CVE-2024-39751 4.3 - Medium - August 06, 2024

IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 297429

Generation of Error Message Containing Sensitive Information

IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server

CVE-2024-35143 9.1 - Critical - August 04, 2024

IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 292420.

Missing Authentication for Critical Function

IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations

CVE-2024-38321 6.5 - Medium - August 03, 2024

IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user. IBM X-Force ID: 284868.

Insertion of Sensitive Information into Log File

IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers

CVE-2023-26289 5.4 - Medium - July 30, 2024

IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 248478.

Output Sanitization

IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2023-38001 6.5 - Medium - July 30, 2024

IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260206.

Session Riding

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could

CVE-2022-33167 7.5 - High - July 30, 2024

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.

Incorrect Permission Assignment for Critical Resource

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could

CVE-2023-26288 5.5 - Medium - July 30, 2024

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.

Insufficient Session Expiration

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection

CVE-2024-40689 9.8 - Critical - July 26, 2024

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. IBM X-Force ID: 297719.

SQL Injection

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting

CVE-2024-28772 5.4 - Medium - July 25, 2024

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285645.

XSS

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could

CVE-2022-32759 7.5 - High - July 25, 2024

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.

Insufficient Session Expiration

IBM InfoSphere Information Server 11.7 could disclose sensitive user information to another user with physical access to the machine

CVE-2024-37533 4.6 - Medium - July 24, 2024

IBM InfoSphere Information Server 11.7 could disclose sensitive user information to another user with physical access to the machine. IBM X-Force ID: 294727.

Privacy violation

IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2023-50304 8.2 - High - July 18, 2024

IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 273335.

XXE

IBM ClearQuest (CQ) 9.1 through 9.1.0.6 is vulnerable to stored cross-site scripting

CVE-2024-28796 5.4 - Medium - July 17, 2024

IBM ClearQuest (CQ) 9.1 through 9.1.0.6 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286833.

XSS

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 could disclose sensitive information in the HTTP response using man in the middle techniques

CVE-2023-42010 3.7 - Low - July 17, 2024

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 could disclose sensitive information in the HTTP response using man in the middle techniques. IBM X-Force ID: 265507.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM Sterling Partner Engagement Manager 6.2.2 could

CVE-2022-35640 5.5 - Medium - July 16, 2024

IBM Sterling Partner Engagement Manager 6.2.2 could allow a local attacker to obtain sensitive information when a detailed technical error message is returned. IBM X-Force ID: 230933.

Generation of Error Message Containing Sensitive Information

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to traverse directories on the system

CVE-2024-39741 5.3 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 296010.

Directory traversal

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 displays version information in HTTP requests

CVE-2024-39740 5.3 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 displays version information in HTTP requests that could allow an attacker to gather information for future attacks against the system. IBM X-Force ID: 296009.

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting

CVE-2024-39735 5.4 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 296002.

XSS

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow an authenticated user to obtain sensitive information from source code

CVE-2024-39729 4.3 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow an authenticated user to obtain sensitive information from source code that could be used in further attacks against the system. IBM X-Force ID: 295968.

IBM Datacap Navigator 9.1.5

CVE-2024-39736 9.8 - Critical - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 296003.

Output Sanitization

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting

CVE-2024-39728 5.4 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 295967.

XSS

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 uses weaker than expected cryptographic algorithms

CVE-2024-39731 7.5 - High - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 295970.

Use of a Broken or Risky Cryptographic Algorithm

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could

CVE-2024-39737 5.3 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 296004.

Generation of Error Message Containing Sensitive Information

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to server-side request forgery (SSRF)

CVE-2024-39739 4.3 - Medium - July 15, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 296008.

SSRF

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments

CVE-2024-39732 7.5 - High - July 14, 2024

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that could be obtained by a malicious user. IBM X-Force ID: 295791.

Cleartext Storage of Sensitive Information

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.