IBM

What does digital transformation really mean? From intelligent workflows to smarter supply chains, get to know th… https://t.co/prNFtW1AAy
Tue Apr 20 13:00:09 +0000 2021

By the Year

In 2021 there have been 100 vulnerabilities in IBM with an average score of 5.8 out of ten. Last year IBM had 338 security vulnerabilities published. Right now, IBM is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 0.45

Year	Vulnerabilities	Average Score
2021	100	5.78
2020	338	6.23
2019	438	6.11
2018	306	6.37

It may take a day or so for new IBM vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest IBM Security Vulnerabilities

IBM Jazz Team Server products are vulnerable to stored cross-site scripting

CVE-2020-4920 5.4 - Medium - April 12, 2021

IBM Jazz Team Server products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191396.

XSS

IBM Jazz Team Server products contain an undisclosed vulnerability

CVE-2020-4964 4.3 - Medium - April 12, 2021

IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users. IBM X-Force ID: 192419.

IBM Jazz Team Server products use weaker than expected cryptographic algorithms

CVE-2020-4965 7.5 - High - April 12, 2021

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422.

Inadequate Encryption Strength

IBM Jazz Team Server products are vulnerable to cross-site scripting

CVE-2021-20519 5.4 - Medium - April 12, 2021

IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198441.

XSS

IBM Spectrum Scale 5.1.0.1 could allow a local attacker to bypass the filesystem audit logging mechanism when file audit logging is enabled

CVE-2021-29671 3.3 - Low - April 09, 2021

IBM Spectrum Scale 5.1.0.1 could allow a local attacker to bypass the filesystem audit logging mechanism when file audit logging is enabled. IBM X-Force ID: 199478.

AuthZ

IBM Edge 4.2 is vulnerable to cross-site scripting

CVE-2020-4792 5.4 - Medium - April 05, 2021

IBM Edge 4.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 189441.

XSS

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting

CVE-2020-4997 5.4 - Medium - April 05, 2021

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192914

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20352 5.4 - Medium - March 30, 2021

IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194710.

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20447 5.4 - Medium - March 30, 2021

XSS

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2021-20502 7.1 - High - March 30, 2021

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.

XXE

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20503 5.4 - Medium - March 30, 2021

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20504 5.4 - Medium - March 30, 2021

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20506 5.4 - Medium - March 30, 2021

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20518 5.4 - Medium - March 30, 2021

XSS

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2021-20520 5.4 - Medium - March 30, 2021

XSS

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 could allow an authenticated user to initiate a plugin or compare process resources

CVE-2020-4848 5.4 - Medium - March 30, 2021

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 could allow an authenticated user to initiate a plugin or compare process resources that they should not have access to. IBM X-Force ID: 190293.

AuthZ

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 stores user credentials in plain in clear text which can be read by a local user

CVE-2020-4884 5.5 - Medium - March 30, 2021

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 190908.

Cleartext Storage of Sensitive Information

IBM UrbanCode Deploy (UCD) 7.0.3.0, 7.0.4.0, 7.0.5.3, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2, stores keystore passwords in plain in plain text after a manuel edit

CVE-2020-4944 5.5 - Medium - March 30, 2021

IBM UrbanCode Deploy (UCD) 7.0.3.0, 7.0.4.0, 7.0.5.3, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2, stores keystore passwords in plain in plain text after a manuel edit, which can be read by a local user. IBM X-Force ID: 191944.

Cleartext Storage of Sensitive Information

IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2021-20482 7.1 - High - March 30, 2021

IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197504.

XXE

IBM Planning Analytics 2.0 could be vulnerable to a Server-Side Request Forgery (SSRF) attack by constucting URLs

CVE-2020-4882 6.1 - Medium - March 22, 2021

IBM Planning Analytics 2.0 could be vulnerable to a Server-Side Request Forgery (SSRF) attack by constucting URLs from user-controlled data . This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 190852.

XSPA

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could

CVE-2020-4851 5.5 - Medium - March 16, 2021

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user to poison log files which could impact support and development efforts. IBM X-Force ID: 190450.

Injection

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could

CVE-2020-4890 4.4 - Medium - March 16, 2021

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973.

Resource Exhaustion

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting

CVE-2020-4891 5.5 - Medium - March 16, 2021

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974.

Improper Restriction of Excessive Authentication Attempts

IBM Security Guardium 11.2 performs an operation at a privilege level

CVE-2020-4184 7.3 - High - March 15, 2021

IBM Security Guardium 11.2 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 174802..

Improper Privilege Management

IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient

CVE-2021-20440 4.3 - Medium - March 15, 2021

IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 uses weaker than expected cryptographic algorithms

CVE-2020-4831 7.5 - High - March 12, 2021

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 189965.

Use of a Broken or Risky Cryptographic Algorithm

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting

CVE-2021-20336 5.4 - Medium - March 11, 2021

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system

CVE-2020-5016 6.5 - Medium - March 10, 2021

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When application security is disabled and JAX-RPC applications are present, an attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary xml files on the system. This does not occur if Application security is enabled. IBM X-Force ID: 193556.

Directory traversal

IBM Cloud Pak for Multicloud Management Monitoring 2.2 returns potentially sensitive information in headers

CVE-2021-20341 5.3 - Medium - March 09, 2021

IBM Cloud Pak for Multicloud Management Monitoring 2.2 returns potentially sensitive information in headers which could lead to further attacks against the system. IBM X-Force ID: 194513.

IBM API Connect V10 is impacted by insecure communications during database replication

CVE-2020-4695 7.5 - High - March 08, 2021

IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.

Missing Encryption of Sensitive Data

IBM API Connect V10 and V2018 could

CVE-2020-4903 6.5 - Medium - March 08, 2021

IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.

IBM DataPower Gateway V10 and V2018 could

CVE-2020-5014 6.7 - Medium - March 08, 2021

IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.

XSPA

IBM Engineering products are vulnerable to stored cross-site scripting

CVE-2020-4856 5.4 - Medium - March 04, 2021

IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190459.

XSS

IBM Engineering products are vulnerable to stored cross-site scripting

CVE-2020-4857 5.4 - Medium - March 04, 2021

XSS

IBM Engineering products are vulnerable to stored cross-site scripting

CVE-2020-4863 5.4 - Medium - March 04, 2021

XSS

IBM Engineering products are vulnerable to cross-site scripting

CVE-2020-4866 5.4 - Medium - March 04, 2021

IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190742.

XSS

IBM Engineering products are vulnerable to cross-site scripting

CVE-2020-4975 5.4 - Medium - March 04, 2021

XSS

IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-20340 5.4 - Medium - March 04, 2021

XSS

IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-20350 5.4 - Medium - March 04, 2021

XSS

IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-20351 5.4 - Medium - March 04, 2021

XSS

The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition

CVE-2020-4719 4.9 - Medium - March 02, 2021

The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861.

Use of Incorrectly-Resolved Name or Reference

IBM Monitoring (IBM Cloud APM 8.1.4 ) could

CVE-2020-4725 3.5 - Low - March 02, 2021

IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user. IBM X-Force ID: 187974.

The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4)

CVE-2020-4726 3.3 - Low - March 02, 2021

The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 187975.

Insecure Storage of Sensitive Information

IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could

CVE-2020-4931 6.5 - Medium - February 24, 2021

IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.

IBM Planning Analytics 2.0 could

CVE-2020-4953 4.3 - Medium - February 23, 2021

IBM Planning Analytics 2.0 could allow a remote authenticated attacker to obtain information about an organization's internal structure by exposing sensitive information in HTTP repsonses. IBM X-Force ID: 192029.

Information Disclosure

IBM Spectrum Protect Operations Center 7.1 and 8.1 could

CVE-2020-4954 5.4 - Medium - February 15, 2021

IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation . By using the configuration panel to obtain a valid session using an attacker controlled IBM Spectrum Protect server, an attacker could exploit this vulnerability to bypass authentication and gain access to a limited number of debug functions, such as logging levels. IBM X-Force ID: 192153.

Session Fixation

IBM Spectrum Protect Operations Center 7.1 and 8.1could

CVE-2020-4955 8 - High - February 15, 2021

IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155.

Unrestricted File Upload

IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a denial of service, caused by a RPC

CVE-2020-4956 4.8 - Medium - February 15, 2021

IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a denial of service, caused by a RPC that allows certain cache values to be set and dumped to a file. By setting a grossly large cache value and dumping that cached value to a file multiple times, a remote attacker could exploit this vulnerability to cause the consumption of all memory resources. IBM X-Force ID: 192156.

Resource Exhaustion

IBM Case Manager 5.2 and 5.3 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to cross-site scripting

CVE-2020-4768 5.4 - Medium - February 11, 2021

IBM Case Manager 5.2 and 5.3 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188907.

XSS

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could

CVE-2021-20402 2.7 - Low - February 11, 2021

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196076.

Generation of Error Message Containing Sensitive Information

IBM Security Verify Information Queue 1.0.6 and 1.0.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-20403 8.8 - High - February 11, 2021

IBM Security Verify Information Queue 1.0.6 and 1.0.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Session Riding

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user on the network to cause a denial of service due to an invalid cookie value

CVE-2021-20404 5.3 - Medium - February 11, 2021

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user on the network to cause a denial of service due to an invalid cookie value that could prevent future logins. IBM X-Force ID: 196078.

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could

CVE-2021-20405 7.5 - High - February 11, 2021

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to perform unauthorized activities due to improper encoding of output. IBM X-Force ID: 196183.

Output Sanitization

IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could

CVE-2020-5023 7.5 - High - February 10, 2021

IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could allow a remote user to inject arbitrary data iwhich could cause the serivce to crash due to excess resource consumption. IBM X-Force ID: 193659.

Resource Exhaustion

IBM WebSphere Application Server 7.0

CVE-2021-20353 8.2 - High - February 10, 2021

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.

XXE

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4790 6.5 - Medium - February 09, 2021

IBM Security Identity Governance and Intelligence 5.2.6 could allow a user to cause a denial of service due to improperly validating a supplied URL, rendering the application unusuable. IBM X-Force ID: 189375.

Improper Input Validation

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4791 5.3 - Medium - February 09, 2021

IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to obtain sensitive information using main in the middle attacks due to improper certificate validation. IBM X-Force ID: 189379.

Information Disclosure

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information to an unauthorized user using a specially crafted HTTP request

CVE-2020-4795 8.2 - High - February 09, 2021

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information to an unauthorized user using a specially crafted HTTP request. IBM X-Force ID: 189446.

Information Disclosure

IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could

CVE-2020-4995 5.3 - Medium - February 09, 2021

IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912.

Insufficient Session Expiration

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4996 5.5 - Medium - February 09, 2021

IBM Security Identity Governance and Intelligence 5.2.6 could allow a local user to obtain sensitive information via the capturing of screenshots of authentication credentials. IBM X-Force ID: 192913.

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files

CVE-2021-20358 6.5 - Medium - February 08, 2021

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files. IBM X-Force ID: 194965.

Cleartext Storage of Sensitive Information

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files

CVE-2021-20359 6.5 - Medium - February 08, 2021

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.

Insertion of Sensitive Information into Log File

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations

CVE-2020-4640 4.1 - Medium - February 04, 2021

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510.

Information Disclosure

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site scripting

CVE-2020-4825 5.4 - Medium - February 04, 2021

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 189839.

XSS

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4826 4.3 - Medium - February 04, 2021

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 189840.

Session Riding

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4827 4.3 - Medium - February 04, 2021

Session Riding

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning

CVE-2020-4828 6.5 - Medium - February 04, 2021

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. IBM X-Force ID: 189842.

Improper Input Validation

IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could

CVE-2020-4682 9.8 - Critical - January 28, 2021

IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.

Marshaling, Unmarshaling

IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could

CVE-2020-4888 8.8 - High - January 28, 2021

IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 190912.

Marshaling, Unmarshaling

IBM Jazz Foundation products is vulnerable to cross-site scripting

CVE-2020-4524 5.4 - Medium - January 27, 2021

IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182434.

XSS

IBM Jazz Foundation products could allow a remote attacker to hijack the clicking action of the victim

CVE-2020-4547 5.4 - Medium - January 27, 2021

IBM Jazz Foundation products could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 183315.

Clickjacking

IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1

CVE-2020-4786 4.3 - Medium - January 27, 2021

IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 189221.

XSPA

IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1

CVE-2020-4787 2.3 - Low - January 27, 2021

XSPA

IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5 could

CVE-2020-4789 6.5 - Medium - January 27, 2021

IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 189302.

Directory traversal

IBM Jazz Foundation products is vulnerable to cross-site scripting

CVE-2020-4855 5.4 - Medium - January 27, 2021

XSS

IBM Jazz Foundation products is vulnerable to cross-site scripting

CVE-2020-4865 5.4 - Medium - January 27, 2021

XSS

IBM Jazz Foundation products is vulnerable to cross-site scripting

CVE-2021-20357 5.4 - Medium - January 27, 2021

XSS

IBM Cloud Pak for Security (CP4S) 1.3.0.1 and 1.4.0.0 could

CVE-2020-4628 5.3 - Medium - January 27, 2021

IBM Cloud Pak for Security (CP4S) 1.3.0.1 and 1.4.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 185369.

Generation of Error Message Containing Sensitive Information

IBM Cloud Pak for Security (CP4S) 1.3.0.1 could disclose sensitive information through HTTP headers

CVE-2020-4967 4.3 - Medium - January 27, 2021

IBM Cloud Pak for Security (CP4S) 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425.

Information Disclosure

IBM Security Identity Governance and Intelligence 5.2.6 does not perform any authentication for functionality

CVE-2020-4958 9.8 - Critical - January 21, 2021

IBM Security Identity Governance and Intelligence 5.2.6 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. IBM X-Force ID: 192209.

Missing Authentication for Critical Function

IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies

CVE-2020-4966 4.3 - Medium - January 21, 2021

IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 192423.

insecure temporary file

IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms

CVE-2020-4968 6.5 - Medium - January 21, 2021

IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.

Use of a Broken or Risky Cryptographic Algorithm

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4969 5.9 - Medium - January 21, 2021

IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

Cleartext Transmission of Sensitive Information

IBM AIX 7.1, 7.2 and AIX VIOS 3.1 could

CVE-2020-4887 5.5 - Medium - January 20, 2021

IBM AIX 7.1, 7.2 and AIX VIOS 3.1 could allow a local user to exploit a vulnerability in the gencore user command to create arbitrary files in any directory. IBM X-Force ID: 190911.

IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could

CVE-2020-4983 7.8 - High - January 20, 2021

IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM X-Force ID: 192586.

Command Injection

IBM Planning Analytics 2.0 allows web pages to be stored locally which can be read by another user on the system

CVE-2020-4871 5.5 - Medium - January 19, 2021

IBM Planning Analytics 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 190834.

Information Disclosure

IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy

CVE-2020-4873 5.3 - Medium - January 19, 2021

IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.

Information Disclosure

IBM Planning Analytics 2.0 could

CVE-2020-4881 7.5 - High - January 19, 2021

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 190851.

Origin Validation Error

IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting

CVE-2020-4838 5.4 - Medium - January 12, 2021

IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190036.

XSS

IBM Jazz Foundation Products could

CVE-2020-4487 4.3 - Medium - January 08, 2021

IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 181862.

Generation of Error Message Containing Sensitive Information

IBM Jazz Foundation Products could

CVE-2020-4544 4.3 - Medium - January 08, 2021

Generation of Error Message Containing Sensitive Information

IBM Jazz Foundation Products are vulnerable to cross-site scripting

CVE-2020-4691 5.4 - Medium - January 08, 2021

XSS

IBM Jazz Foundation products are vulnerable to cross-site scripting

CVE-2020-4697 5.4 - Medium - January 08, 2021

IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186790.

XSS

IBM Jazz Foundation products are vulnerable to cross-site scripting

CVE-2020-4733 5.4 - Medium - January 08, 2021

XSS

IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting

CVE-2020-4892 5.4 - Medium - January 07, 2021

IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190979.

XSS

IBM Emptoris Sourcing 10.1.0

CVE-2020-4896 6.5 - Medium - January 07, 2021

IBM Emptoris Sourcing 10.1.0, 10.1.1, and 10.1.3 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. IBM X-Force ID: 190987.

HTTP Request Smuggling

IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could

CVE-2020-4897 5.3 - Medium - January 07, 2021

IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190988.

Generation of Error Message Containing Sensitive Information

IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters

CVE-2020-4336 5.3 - Medium - January 06, 2021

IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 177932.

Information Disclosure

IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or

CVE-2020-4899 9.1 - Critical - January 05, 2021

IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. IBM X-Force ID: 190990.

Cleartext Transmission of Sensitive Information

IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4942 8.8 - High - January 04, 2021

IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942.

Session Riding