IBM

IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expected cryptographic algorithms

CVE-2020-4452 7.5 - High - June 29, 2020

IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 181324.

Information Leak

IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cross-site scripting

CVE-2020-4223 5.4 - Medium - June 26, 2020

IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175121.

XSS

IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection

CVE-2019-4650 6.3 - Medium - June 26, 2020

IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 170961.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could

CVE-2020-4565 5.9 - Medium - June 26, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an attacker to obtain sensitive information due to insecure communications being used between the application and server. IBM X-Force ID: 183935.

Information Leak

IBM Security Secret Server 10.7 could allow a remote attacker to hijack the clicking action of the victim

CVE-2020-4322 4.3 - Medium - June 24, 2020

IBM Security Secret Server 10.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 177511.

1021

IBM Security Secret Server 10.7 is vulnerable to cross-site scripting

CVE-2020-4323 6.1 - Medium - June 24, 2020

IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 177514.

XSS

IBM Security Secret Server 10.7 could

CVE-2020-4327 5.3 - Medium - June 24, 2020

IBM Security Secret Server 10.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 177599.

Information Exposure Through an Error Message

IBM Security Secret Server 10.7 could

CVE-2020-4341 5.3 - Medium - June 24, 2020

IBM Security Secret Server 10.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 178181.

Information Exposure Through an Error Message

IBM Security Secret Server 10.7 could disclose sensitive information included in installation files to an unauthorized user

CVE-2020-4342 5.3 - Medium - June 24, 2020

IBM Security Secret Server 10.7 could disclose sensitive information included in installation files to an unauthorized user. IBM X-Force ID: 178182.

Information Leak

IBM Security Secret Server 10.7 could

CVE-2020-4413 5.9 - Medium - June 24, 2020

IBM Security Secret Server 10.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 179988.

Information Leak

IBM Security Guardium 10.6 and 11.1 may use insufficiently random numbers or values in a security context

CVE-2020-4188 5.3 - Medium - June 23, 2020

IBM Security Guardium 10.6 and 11.1 may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. IBM X-Force ID: 174807.

Use of Insufficiently Random Values

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting

CVE-2020-4281 5.4 - Medium - June 19, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176141.

XSS

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting

CVE-2020-4295 5.4 - Medium - June 19, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176408.

XSS

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting

CVE-2020-4297 5.4 - Medium - June 19, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176474.

XSS

IBM Business Automation Workflow and IBM Business Process Manager (IBM Business Process Manager Express 8.5.5, 8.5.6, 8.5.7, and 8.6) could

CVE-2020-4532 5.3 - Medium - June 17, 2020

IBM Business Automation Workflow and IBM Business Process Manager (IBM Business Process Manager Express 8.5.5, 8.5.6, 8.5.7, and 8.6) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 182716.

Information Leak

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key

CVE-2020-4216 9.8 - Critical - June 15, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 175066.

Use of Hard-coded Credentials

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system

CVE-2020-4469 9.8 - Critical - June 15, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. This vulnerability is due to an incomplete fix for CVE-2020-4211. IBM X-Force ID: 181724.

Shell injection

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console could

CVE-2020-4470 8 - High - June 15, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. IBM X-Force ID: 181725.

Unrestricted File Upload

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could

CVE-2020-4471 6.5 - Medium - June 15, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an unauthenticated attacker to cause a denial of service or hijack DNS sessions by send a specially crafted HTTP command to the remote server. IBM X-Force ID: 181726.

Improper Input Validation

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 discloses highly sensitive information in plain text in the virgo log file

CVE-2020-4477 6.5 - Medium - June 15, 2020

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 discloses highly sensitive information in plain text in the virgo log file which could be used in further attacks against the system. IBM X-Force ID: 181779.

Information Leak

IBM API Connect 5.0.0.0 through 5.0.8.8 is vulnerable to cross-site scripting

CVE-2020-4251 5.4 - Medium - June 12, 2020

IBM API Connect 5.0.0.0 through 5.0.8.8 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175489.

XSS

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server side request forgery (SSRF)

CVE-2020-4529 7.4 - High - June 08, 2020

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 182713.

XSPA

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could

CVE-2020-4449 7.5 - High - June 05, 2020

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230.

Information Leak

IBM WebSphere Application Server 8.5 and 9.0 traditional could

CVE-2020-4450 9.8 - Critical - June 05, 2020

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231.

Marshaling, Unmarshaling

IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could

CVE-2020-4448 9.8 - Critical - June 05, 2020

IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228.

Marshaling, Unmarshaling

IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key

CVE-2020-4190 6.7 - Medium - June 03, 2020

IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.

Use of Hard-coded Credentials

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting

CVE-2020-4360 5.4 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178765.

XSS

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting

CVE-2020-4366 6.1 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178965.

XSS

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms

CVE-2020-4367 7.5 - High - June 02, 2020

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 179001.

Use of a Broken or Risky Cryptographic Algorithm

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting

CVE-2020-4431 5.4 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 180761.

XSS

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting

CVE-2020-4503 6.1 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182283.

XSS

IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could

CVE-2020-4490 6.1 - Medium - May 29, 2020

IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 181989

IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting

CVE-2020-4306 5.4 - Medium - May 29, 2020

IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176735.

XSS

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4248 2.7 - Low - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.

Information Leak

IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting

CVE-2020-4419 5.4 - Medium - May 28, 2020

IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 180071.

XSS

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4232 7.5 - High - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to enumerate usernames to find valid login credentials which could be used to attempt further attacks against the system. IBM X-Force ID: 175336.

Insufficiently Protected Credentials

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4244 5.3 - Medium - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could allow an unauthorized user to obtain sensitive information through user enumeration. IBM X-Force ID: 175422.

Information Leak

IBM Security Identity Governance and Intelligence 5.2.6 does not require

CVE-2020-4245 7.5 - High - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 175423.

Weak Password Requirements

IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2020-4246 7.1 - High - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 175481.

XXE

IBM Security Identity Governance and Intelligence 5.2.6 could disclose highly sensitive information to other authenticated users on the sytem due to incorrect authorization

CVE-2020-4249 6.5 - Medium - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could disclose highly sensitive information to other authenticated users on the sytem due to incorrect authorization. IBM X-Force ID: 175485.

Information Leak

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4231 6.5 - Medium - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could allow an authenticated user to perform unauthorized commands due to hazardous input validation. IBM X-Force ID: 175335.

Improper Input Validation

IBM Security Identity Governance and Intelligence 5.2.6 could

CVE-2020-4233 5.3 - Medium - May 28, 2020

IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM X-Force ID: 175360.

Information Leak

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms

CVE-2020-4350 7.5 - High - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 178424.

Use of a Broken or Risky Cryptographic Algorithm

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could

CVE-2020-4357 4.3 - Medium - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 178761.

Information Leak

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could

CVE-2020-4378 4.9 - Medium - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a privileged authenticated user to perform unauthorized actions using a specially crated HTTP POST command. IBM X-Force ID: 179157.

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms

CVE-2020-4379 7.5 - High - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 179158.

Use of a Broken or Risky Cryptographic Algorithm

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms

CVE-2020-4349 7.5 - High - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 178423.

Use of a Broken or Risky Cryptographic Algorithm

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 is vulnerable to cross-site scripting

CVE-2020-4358 5.4 - Medium - May 27, 2020

IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178762.

XSS

IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could

CVE-2020-4348 6.5 - Medium - May 27, 2020

IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could allow an authenticated GUI user to perform unauthorized actions due to missing function level access control. IBM X-Force ID: 178414

AuthZ

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4286 6.5 - Medium - May 19, 2020

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176268.

352

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting

CVE-2020-4298 5.4 - Medium - May 19, 2020

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176475.

XSS

IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a specific set of circumstances may allow a local user to obtain sensitive information

CVE-2020-4345 3.3 - Low - May 17, 2020

IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a specific set of circumstances may allow a local user to obtain sensitive information that they should not have access to. IBM X-Force ID: 178318.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 trough 6.0.3.1 could

CVE-2020-4312 4.3 - Medium - May 13, 2020

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 trough 6.0.3.1 could allow an authenticated user to obtain sensitive information from a cached web page. IBM X-Force ID: 177089.

Information Leak

IBM API Connect V2018.4.1.0 through 2018.4.1.10 could allow a remote attacker to hijack the clicking action of the victim

CVE-2020-4195 5.4 - Medium - May 12, 2020

IBM API Connect V2018.4.1.0 through 2018.4.1.10 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 174859.

1021

IBM API Connect's V2018.4.1.0 through 2018.4.1.10 management server has an unsecured api

CVE-2020-4346 5.3 - Medium - May 12, 2020

IBM API Connect's V2018.4.1.0 through 2018.4.1.10 management server has an unsecured api which can be exploited by an unauthenticated attacker to obtain sensitive information. IBM X-Force ID: 178322.

Information Leak

IBM Maximo Asset Management 7.6.0, and 7.6.1 could allow an authenticated user to obtain highly sensitive information

CVE-2019-4478 6.5 - Medium - May 12, 2020

IBM Maximo Asset Management 7.6.0, and 7.6.1 could allow an authenticated user to obtain highly sensitive information that they should not normally have access to. IBM X-Force ID: 163998.

Information Leak

IBM UrbanCode Deploy (UCD) 7.0.5.2 could

CVE-2019-4667 5.9 - Medium - May 11, 2020

IBM UrbanCode Deploy (UCD) 7.0.5.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 171249.

Information Leak

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could

CVE-2020-4427 9.8 - Critical - May 07, 2020

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.

authentification

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could

CVE-2020-4428 9.1 - Critical - May 07, 2020

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.

Shell injection

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account

CVE-2020-4429 9.8 - Critical - May 07, 2020

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.

Use of Hard-coded Credentials

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system

CVE-2020-4430 4.3 - Medium - May 07, 2020

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.

Directory traversal

IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could

CVE-2020-4446 4.3 - Medium - May 06, 2020

IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126.

AuthZ

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting

CVE-2020-4384 5.4 - Medium - May 06, 2020

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 179265.

XSS

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 does not have device jailbreak detection

CVE-2019-4266 2.4 - Low - May 06, 2020

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 does not have device jailbreak detection which could result in an attacker gaining sensitive information about the device. IBM X-Force ID: 160199.

Improper Privilege Management

IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could

CVE-2020-4421 5.4 - Medium - May 06, 2020

IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084.

authentification

IBM Maximo Anywhere 7.6.2.0

CVE-2019-4286 4.3 - Medium - April 29, 2020

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could disclose highly senstiive user information to an authenticated user with physical access to the device. IBM X-Force ID: 160514.

Information Leak

IBM Maximo Anywhere 7.6.2.0

CVE-2019-4288 4.3 - Medium - April 29, 2020

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could disclose highly senstiive user information to an authenticated user with physical access to the device. IBM X-Force ID: 160631.

Information Leak

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could

CVE-2020-4329 4.3 - Medium - April 28, 2020

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.

Information Leak

IBM Cognos Analytics 11.0 and 11.1 could

CVE-2019-4729 4.3 - Medium - April 27, 2020

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 172519.

Information Leak

IBM Cloud App Management 2019.3.0 and 2019.4.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2019-4750 8.8 - High - April 24, 2020

IBM Cloud App Management 2019.3.0 and 2019.4.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 173310.

352

IBM Cloud App Management 2019.3.0 and 2019.4.0 reveals a stack trace on certain API requests which can

CVE-2019-4751 5.3 - Medium - April 24, 2020

IBM Cloud App Management 2019.3.0 and 2019.4.0 reveals a stack trace on certain API requests which can allow an attacker further information about the implementation of the offering. IBM X-Force ID: 173311.

Information Leak

IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authenticated user cause a denial of service due to a memory leak

CVE-2020-4267 6.5 - Medium - April 24, 2020

IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authenticated user cause a denial of service due to a memory leak. IBM X-Force ID: 175840.

Missing Release of Resource after Effective Lifetime

IBM MaaS360 6.82 could

CVE-2020-4353 4.6 - Medium - April 23, 2020

IBM MaaS360 6.82 could allow a user with pysical access to the device to crash the application which may enable the user to access restricted applications and device settings. IBM X-Force ID: 178505.

Improper Input Validation

IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking

CVE-2020-4415 9.8 - Critical - April 23, 2020

IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash. IBM X-Force ID: 179990.

Out-of-bounds Write

IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system

CVE-2020-4311 7 - High - April 23, 2020

IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system. By placing a specially crafted file, an attacker could exploit this vulnerability to load other DLL files located in the same directory and execute arbitrary code on the system. IBM X-Force ID: 177083.

Incorrect Permission Assignment for Critical Resource

IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could

CVE-2020-4202 8.8 - High - April 23, 2020

IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). IBM X-Force ID: 174955.

Improper Privilege Management

IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in clear text which can be read by a local user

CVE-2019-4668 5.5 - Medium - April 23, 2020

IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171250.

Insufficiently Protected Credentials

IBM Maximo Asset Management 7.6 could

CVE-2019-4446 5.4 - Medium - April 17, 2020

IBM Maximo Asset Management 7.6 could allow an authenticated user perform actions they are not authorized to by modifying request parameters. IBM X-Force ID: 163490.

AuthZ

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting

CVE-2019-4644 6.1 - Medium - April 17, 2020

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170880.

XSS

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting

CVE-2019-4749 5.4 - Medium - April 17, 2020

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 173308.

XSS

IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive information in error messages

CVE-2020-4277 7.5 - High - April 17, 2020

IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive information in error messages that could aid an attacker formulate future attacks. IBM X-Force ID: 175993.

Information Leak

IBM InfoSphere Information Server 11.3

CVE-2020-4347 7.3 - High - April 16, 2020

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could be subject to attacks based on privilege escalation due to inappropriate file permissions for files used by WebSphere Application Server Network Deployment. IBM X-Force ID: 178412.

Improper Privilege Management

IBM MQ 9.1.4 could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data

CVE-2020-4338 5.5 - Medium - April 16, 2020

IBM MQ 9.1.4 could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data. IBM X-Force ID: 177937.

Information Leak

IBM MQ 9.0 and 9.1 is vulnerable to a denial of service attack due to an error in the Channel processing function

CVE-2019-4762 7.5 - High - April 16, 2020

IBM MQ 9.0 and 9.1 is vulnerable to a denial of service attack due to an error in the Channel processing function. IBM X-Force ID: 173625.

IBM UrbanCode Deploy (UCD) 7.0.5 could allow a user with special permissions to obtain sensitive information via generic processes

CVE-2020-4260 4.3 - Medium - April 16, 2020

IBM UrbanCode Deploy (UCD) 7.0.5 could allow a user with special permissions to obtain sensitive information via generic processes. IBM X-Force ID: 175639.

Information Leak

IBM QRadar SIEM 7.3.0 through 7.3.3 could allow an authenticated attacker to perform unauthorized actions due to improper input validation

CVE-2020-4151 6.5 - Medium - April 14, 2020

IBM QRadar SIEM 7.3.0 through 7.3.3 could allow an authenticated attacker to perform unauthorized actions due to improper input validation. IBM X-Force ID: 174201.

AuthZ

IBM WebSphere Application Server 7.0

CVE-2020-4362 8.8 - High - April 10, 2020

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.

Improper Privilege Management

IBM DOORS Next Generation (DNG/RRC) 6.0.2

CVE-2020-4252 5.4 - Medium - April 08, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175490.

XSS

IBM DOORS Next Generation (DNG/RRC) 6.0.2

CVE-2019-4737 5.4 - Medium - April 08, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172707.

XSS

IBM DOORS Next Generation (DNG/RRC) 6.0.2

CVE-2019-4740 5.4 - Medium - April 08, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172808.

XSS

IBM DOORS Next Generation (DNG/RRC) 6.0.2

CVE-2019-4746 5.4 - Medium - April 08, 2020

IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172885.

XSS

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to obtain sensitive information from a stack trace

CVE-2019-4601 4.3 - Medium - April 08, 2020

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to obtain sensitive information from a stack trace that could aid in further attacks against the system.

Information Leak

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 is vulnerable to cross-site scripting

CVE-2019-4602 5.4 - Medium - April 08, 2020

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168293.

XSS

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could

CVE-2019-4603 4.3 - Medium - April 08, 2020

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to create keywords through the REST API and have them appear as if they were created by another user. IBM X-Force ID: 168295.

Incorrect Permission Assignment for Critical Resource

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information

CVE-2020-4164 2.7 - Low - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information from applicatino errors which could be used in further attacks against the system. IBM X-Force ID: 174400.

Information Leak

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could

CVE-2020-4282 4.3 - Medium - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205.

authentification

IBM Security Information Queue (ISIQ) 1.0.0

CVE-2020-4284 5.3 - Medium - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207.

Information Leak

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could

CVE-2020-4289 5.3 - Medium - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 176332.

Information Leak

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could

CVE-2020-4290 5.4 - Medium - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access. IBM X-Force ID: 176333.

Authentication Bypass by Spoofing

IBM Security Information Queue (ISIQ) 1.0.0

CVE-2020-4291 4.3 - Medium - April 08, 2020

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334.

384