IBM

IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM API

CVE-2021-38892 9.8 - Critical - January 12, 2022

IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote threat actor who can access (without previous authentication) a valid PA endpoint to read and write files to the IBM Planning Analytics system. Depending on file system permissions up to path traversal and possibly remote code execution. IBM X-Force ID: 209511.

Directory traversal

IBM AIX 7.0, 7.1, 7.2, and VIOS 3.1 could

CVE-2021-38991 7.8 - High - January 11, 2022

IBM AIX 7.0, 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the lscore command which could lead to code execution. IBM X-Force ID: 212953.

Command Injection

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could

CVE-2021-38894 2.7 - Low - January 10, 2022

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 209515.

Generation of Error Message Containing Sensitive Information

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 is vulnerable to cross-site scripting

CVE-2021-38895 5.4 - Medium - January 10, 2022

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209563.

XSS

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 uses weaker than expected cryptographic algorithms

CVE-2021-38921 7.5 - High - January 10, 2022

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 210067.

Use of a Broken or Risky Cryptographic Algorithm

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could disclose sensitive version information in HTTP response headers

CVE-2021-38956 5.3 - Medium - January 10, 2022

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could disclose sensitive version information in HTTP response headers that could aid in further attacks against the system. IBM X-Force ID: 212038

Information Disclosure

IBM Security Verify 10.0.0

CVE-2021-38957 7.5 - High - January 10, 2022

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could disclose sensitive information due to hazardous input validation during QR code generation. IBM X-Force ID: 212040.

Improper Input Validation

IBM AIX 7.1, 7.2, and VIOS 3.1 could

CVE-2021-38990 7.8 - High - January 10, 2022

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the mount command which could lead to code execution. IBM X-Force ID: 212952.

IBM PowerVM Hypervisor FW860

CVE-2021-38918 7.5 - High - January 05, 2022

IBM PowerVM Hypervisor FW860, FW940, FW950, and FW1010, through a specific sequence of VM management operations could lead to a violation of the isolation between peer VMs. IBM X-Force ID: 210019.

IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting

CVE-2021-38876 6.1 - Medium - December 30, 2021

IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208404.

XSS

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0

CVE-2021-38893 5.4 - Medium - December 21, 2021

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512.

XSS

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could

CVE-2021-38900 6.5 - Medium - December 21, 2021

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.

AuthZ

IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting

CVE-2021-38966 5.4 - Medium - December 21, 2021

IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212357.

XSS

IBM Business Automation Workflow 18.0

CVE-2021-38883 5.4 - Medium - December 17, 2021

IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165.

XSS

IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when SharedBindingsUserId is set to effective

CVE-2021-38950 7.8 - High - December 14, 2021

IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when SharedBindingsUserId is set to effective. IBM X-ForceID: 211404.

Improper Privilege Management

IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking

CVE-2021-39049 7.8 - High - December 13, 2021

IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and gain lower level privileges. IBM X-Force ID: 214439.

Memory Corruption

IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking

CVE-2021-39050 7.8 - High - December 13, 2021

IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and gain lower level privileges. IBM X-Force ID: 214440.

Memory Corruption

IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information

CVE-2021-38901 5.5 - Medium - December 13, 2021

IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information. IBM X-Force ID: 209610.

Information Disclosure

IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker

CVE-2021-38917 9.1 - Critical - December 10, 2021

IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker that gains service access to the FSP can read and write arbitrary host system memory through a series of carefully crafted service procedures. IBM X-Force ID: 210018.

IBM PowerVM Hypervisor FW940, FW950, and FW1010 could

CVE-2021-38937 6.5 - Medium - December 10, 2021

IBM PowerVM Hypervisor FW940, FW950, and FW1010 could allow an authenticated user to cause the system to crash using a specially crafted IBMi Hypervisor call. IBM X-Force ID: 210894.

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting

CVE-2021-38909 5.4 - Medium - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209706.

XSS

IBM Cognos Analytics 11.1.7 and 11.2.0 does not require

CVE-2021-20470 7.5 - High - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196339.

Weak Password Requirements

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting

CVE-2021-20493 6.1 - Medium - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197794.

XSS

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application

CVE-2021-29716 6.5 - Medium - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.

Exposure of Resource to Wrong Sphere

IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type

CVE-2021-29719 5.3 - Medium - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type. IBM X-Force ID: 201091

Exposure of Resource to Wrong Sphere

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to

CVE-2021-29867 5.4 - Medium - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to. IBM X-Force ID: 206212.

Exposure of Resource to Wrong Sphere

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-29756 8.8 - High - December 03, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.

Session Riding

IBM MQ Appliance 9.2 CD and 9.2 LTS could

CVE-2021-39000 5.5 - Medium - November 30, 2021

IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local attacker to obtain sensitive information by inclusion of sensitive data within diagnostics. IBM X-Force ID: 213215.

Information Disclosure

IBM MQ Appliance could

CVE-2021-38999 5.5 - Medium - November 30, 2021

IBM MQ Appliance could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace.

Information Disclosure

IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code

CVE-2021-38967 6.7 - Medium - November 30, 2021

IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code. IBM X-Force ID: 212441.

Code Injection

IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service attack caused by a concurrency issue

CVE-2021-38958 5.5 - Medium - November 30, 2021

IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service attack caused by a concurrency issue. IBM X-Force ID: 212042

IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection

CVE-2021-38873 7.8 - High - November 24, 2021

IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 208396.

Injection

IBM MQ 8.0

CVE-2021-38875 6.5 - Medium - November 23, 2021

IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages. IBM X-Force ID: 208398.

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in EFS to expose sensitive information

CVE-2021-29861 6.2 - Medium - November 17, 2021

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in EFS to expose sensitive information. IBM X-Force ID: 206085.

IBM AIX 7.1, 7.2, and VIOS 3.1 could

CVE-2021-29860 6.2 - Medium - November 17, 2021

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the libc.a library to expose sensitive information. IBM X-Force ID: 206084.

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms

CVE-2021-38984 7.5 - High - November 15, 2021

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212793.

Inadequate Encryption Strength

IBM Security SiteProtector System 3.1.1 is vulnerable to cross-site scripting

CVE-2020-4140 5.4 - Medium - November 12, 2021

IBM Security SiteProtector System 3.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174052.

XSS

IBM Security SiteProtector System 3.1.1 could allow a remote attacker to obtain sensitive information, caused by missing 'HttpOnly' flag

CVE-2020-4146 5.3 - Medium - November 12, 2021

IBM Security SiteProtector System 3.1.1 could allow a remote attacker to obtain sensitive information, caused by missing 'HttpOnly' flag. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 174129.

Information Disclosure

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates

CVE-2021-38972 4.3 - Medium - November 12, 2021

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Input Validation

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates

CVE-2021-38973 2.7 - Low - November 12, 2021

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Input Validation

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates

CVE-2021-38985 4.3 - Medium - November 12, 2021

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Input Validation

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests

CVE-2021-38887 6.5 - Medium - November 10, 2021

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests that could be used in further attacks against the system. IBM X-Force ID: 209401.

Information Disclosure

IBM QRadar Network Security 5.4.0 and 5.5.0 is vulnerable to cross-site scripting

CVE-2020-4153 5.4 - Medium - November 08, 2021

IBM QRadar Network Security 5.4.0 and 5.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174269.

XSS

IBM QRadar Network Security 5.4.0 and 5.5.0 could

CVE-2020-4160 5.9 - Medium - November 08, 2021

IBM QRadar Network Security 5.4.0 and 5.5.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 174340.

Exposure of Resource to Wrong Sphere

IBM QRadar Network Security 5.4.0 and 5.5.0 transmits sensitive or security-critical data in cleartext in a communication channel

CVE-2020-4152 5.9 - Medium - November 08, 2021

IBM QRadar Network Security 5.4.0 and 5.5.0 transmits sensitive or security-critical data in cleartext in a communication channel that can be obtained using man in the middle techniques. IBM X-Force ID: 17467.

Cleartext Transmission of Sensitive Information

IBM MQ 9.1 LTS, 9.1 CD, 9.2 LTS, and 9.2CD is vulnerable to a denial of service attack caused by an issue processing message properties

CVE-2021-29843 6.5 - Medium - November 08, 2021

IBM MQ 9.1 LTS, 9.1 CD, 9.2 LTS, and 9.2CD is vulnerable to a denial of service attack caused by an issue processing message properties. IBM X-Force ID: 205203.

IBM Business Automation Workflow 18

CVE-2021-29753 5.9 - Medium - November 05, 2021

IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Cleartext Transmission of Sensitive Information

IBM InfoSphere Information Server 11.7 could

CVE-2021-29875 7.5 - High - November 02, 2021

IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information due to a insecure third party domain access vulnerability. IBM X-Force ID: 206572.

IBM Jazz Team Server products are vulnerable to cross-site scripting

CVE-2021-29673 5.4 - Medium - October 27, 2021

IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199482.

XSS

IBM Jazz Team Server products could allow an authenticated user to obtain elevated privileges under certain configurations

CVE-2021-29774 7.5 - High - October 27, 2021

IBM Jazz Team Server products could allow an authenticated user to obtain elevated privileges under certain configurations. IBM X-Force ID: 203025.

Improper Privilege Management

IBM Jazz Team Server products are vulnerable to cross-site scripting

CVE-2021-29713 5.4 - Medium - October 27, 2021

IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag

CVE-2021-20526 5.3 - Medium - October 27, 2021

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755.

Incorrect Permission Assignment for Critical Resource

IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user

CVE-2021-29786 6.5 - Medium - October 27, 2021

IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. IBM X-Force ID: 203172.

Cleartext Storage of Sensitive Information

IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration

CVE-2021-29868 5.5 - Medium - October 27, 2021

IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 206213.

Insufficient Session Expiration

IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF)

CVE-2021-29844 8.8 - High - October 27, 2021

IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

XSPA

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting

CVE-2021-29835 6.1 - Medium - October 22, 2021

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.

XSS

IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information

CVE-2021-29873 8.1 - High - October 21, 2021

IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability. IBM X-Force ID: 206229.

Exposure of Resource to Wrong Sphere

IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies

CVE-2021-29883 4.3 - Medium - October 21, 2021

IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 207090.

AuthZ

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting

CVE-2021-29878 5.4 - Medium - October 18, 2021

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581.

XSS

IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data

CVE-2020-4951 3.3 - Low - October 15, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.

Information Disclosure

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to

CVE-2021-29745 8.8 - High - October 15, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695.

Improper Privilege Management

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input

CVE-2021-29679 8.8 - High - October 15, 2021

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input that could be interpreted a a server-side include (SSI) directive. IBM X-Force ID: 199915.

Code Injection

IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms

CVE-2021-38862 7.5 - High - October 12, 2021

IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207980.

Inadequate Encryption Strength

IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user

CVE-2021-38915 6.5 - Medium - October 12, 2021

IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947.

Cleartext Storage of Sensitive Information

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could

CVE-2020-4654 6.5 - Medium - October 08, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090.

AuthZ

IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could

CVE-2021-20473 6.5 - Medium - October 07, 2021

IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944.

Insufficient Session Expiration

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting

CVE-2021-20481 6.1 - Medium - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197503.

XSS

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-20489 8.8 - High - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 197790.

Session Riding

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could

CVE-2021-20372 4.3 - Medium - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote authenticated user to cause a denial of another user's service due to insufficient permission checking. IBM X-Force ID: 195518.

authentification

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could

CVE-2021-20375 6.5 - Medium - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to intercept and replace a message sent by another user due to improper access controls. IBM X-Force ID: 195567.

authentification

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authneticated attacker to obtain sensitive information from configuration files

CVE-2021-29700 4.3 - Medium - October 07, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authneticated attacker to obtain sensitive information from configuration files that could aid in further attacks against the system. IBM X-Force ID: 200656.

Information Disclosure

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could

CVE-2021-20376 4.3 - Medium - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated attacker to enumerate usernames due to there being an observable discrepancy in returned messages. IBM X-Force ID: 195568.

Information Disclosure

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could

CVE-2021-20584 7.5 - High - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 199397.

Unrestricted File Upload

IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting

CVE-2021-20571 5.4 - Medium - October 07, 2021

IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199246.

XSS

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting

CVE-2021-20561 6.1 - Medium - October 07, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199230.

XSS

IBM Sterling B2B Integrator Standard Edition 5.2.0

CVE-2021-38925 7.5 - High - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0. 0 through 6.1.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 210171.

Inadequate Encryption Strength

IBM Sterling B2B Integrator Standard Edition 5.2.6.0 through 6.1.1.0 is vulnerable to SQL injection

CVE-2021-29903 9.8 - Critical - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.6.0 through 6.1.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 207506.

SQL Injection

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could

CVE-2021-29760 4.3 - Medium - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to download unauthorized files through the dashboard user interface. IBM X-Force ID: 202213.

AuthZ

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information from the dashboard

CVE-2021-29761 4.3 - Medium - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information from the dashboard that they should not have access to. IBM X-Force ID: 202265.

Information Disclosure

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to perform actions

CVE-2021-29758 4.3 - Medium - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to perform actions that they should not be able to access due to improper access controls. IBM X-Force ID: 202169.

authentification

IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting

CVE-2021-29764 5.4 - Medium - October 06, 2021

IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 202268.

XSS

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting

CVE-2021-29855 5.4 - Medium - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205684.

XSS

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-29837 8.8 - High - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204913.

Session Riding

IBM Sterling B2B Integrator Standard Edition 5.2.0.0

CVE-2021-29836 5.4 - Medium - October 06, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204912.

XSS

IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting

CVE-2021-20554 6.1 - Medium - September 30, 2021

IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199179.

XSS

IBM Business Automation Workflow 18.0.0.0

CVE-2021-29834 5.4 - Medium - September 29, 2021

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204832.

XSS

IBM Aspera Cloud is vulnerable to stored cross-site scripting

CVE-2021-38870 5.4 - Medium - September 23, 2021

IBM Aspera Cloud is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208343.

XSS

IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key

CVE-2020-4690 9.8 - Critical - September 23, 2021

IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 186697.

Use of Hard-coded Credentials

IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a locally authenticated user

CVE-2021-38863 5.5 - Medium - September 23, 2021

IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a locally authenticated user. IBM X-Force ID: 208154.

Insufficiently Protected Credentials

IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation

CVE-2021-38864 7.5 - High - September 23, 2021

IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation. IBM X-Force ID: 208155.

Improper Certificate Validation

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 is vulnerable to cross-site scripting

CVE-2021-20484 5.4 - Medium - September 23, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197666.

XSS

IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system

CVE-2020-4809 3.3 - Low - September 23, 2021

IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189633.

Insecure Storage of Sensitive Information

IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system

CVE-2020-4803 3.3 - Low - September 23, 2021

IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535.

Insecure Storage of Sensitive Information

IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting

CVE-2021-29800 5.4 - Medium - September 23, 2021

IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote authenciated user to obtain sensitive information

CVE-2021-20563 4.3 - Medium - September 23, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote authenciated user to obtain sensitive information. By sending a specially crafted request, the user could disclose a valid filepath on the server which could be used in further attacks against the system. IBM X-Force ID: 199234.

Information Disclosure

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could

CVE-2021-20485 4.3 - Medium - September 23, 2021

IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197667.

Generation of Error Message Containing Sensitive Information

IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information

CVE-2021-20435 5.5 - Medium - September 23, 2021

IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 196355.

Improper Certificate Validation

IBM Edge 4.2 could reveal sensitive version information about the server from error pages

CVE-2020-4941 4.3 - Medium - September 23, 2021

IBM Edge 4.2 could reveal sensitive version information about the server from error pages that could aid an attacker in further attacks against the system. IBM X-Force ID: 191941.

Generation of Error Message Containing Sensitive Information

IBM Security Guardium 11.3 could

CVE-2021-20377 2.7 - Low - September 23, 2021

IBM Security Guardium 11.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 195569.

Generation of Error Message Containing Sensitive Information

IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user

CVE-2021-20434 4.4 - Medium - September 23, 2021

IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 196346.

Insufficiently Protected Credentials