IBM

IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could

CVE-2022-40228 5.4 - Medium - November 22, 2022

IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.

Insufficient Session Expiration

IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could

CVE-2022-40751 4.9 - Medium - November 17, 2022

IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with administrative privileges including "Manage Security" permissions may be able to recover a credential previously saved for performing authenticated LDAP searches. IBM X-Force ID: 236601.

Insufficiently Protected Credentials

Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting

CVE-2022-38390 5.4 - Medium - November 17, 2022

Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 233978.

XSS

IBM CICS TX 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

CVE-2022-34320 7.5 - High - November 14, 2022

IBM CICS TX 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229464.

Use of a Broken or Risky Cryptographic Algorithm

IBM CICS TX 11.1 is vulnerable to cross-site scripting

CVE-2022-34317 5.4 - Medium - November 14, 2022

IBM CICS TX 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229459.

XSS

IBM CICS TX 11.1 is vulnerable to cross-site scripting

CVE-2022-34315 5.4 - Medium - November 14, 2022

IBM CICS TX 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229451.

XSS

IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers

CVE-2022-34316 5.3 - Medium - November 14, 2022

IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. IBM X-Force ID: 229452.

Output Sanitization

IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings

CVE-2022-34314 3.3 - Low - November 14, 2022

IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings. IBM X-Force ID: 229450.

Incorrect Permission Assignment for Critical Resource

IBM CICS TX 11.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

CVE-2022-34319 7.5 - High - November 14, 2022

IBM CICS TX 11.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229463.

Use of a Broken or Risky Cryptographic Algorithm

IBM CICS TX 11.7 could allow an attacker to obtain sensitive information from HTTP response headers

CVE-2022-34329 5.3 - Medium - November 14, 2022

IBM CICS TX 11.7 could allow an attacker to obtain sensitive information from HTTP response headers. IBM X-Force ID: 229467.

IBM CICS TX 11.1 Standard and Advanced could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw

CVE-2022-38705 6.1 - Medium - November 14, 2022

IBM CICS TX 11.1 Standard and Advanced could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 234172.

IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies

CVE-2022-34313 3.1 - Low - November 14, 2022

IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. X-Force ID: 229449.

IBM CICS TX 11.1 allows web pages to be stored locally which can be read by another user on the system

CVE-2022-34312 3.3 - Low - November 14, 2022

IBM CICS TX 11.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 229447.

Insecure Storage of Sensitive Information

IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files

CVE-2022-35719 5.5 - Medium - November 14, 2022

IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user.

Insertion of Sensitive Information into Log File

After performing a sequence of Power FW950, FW1010 maintenance operations a SRIOV network adapter

CVE-2022-34331 9.8 - Critical - November 11, 2022

After performing a sequence of Power FW950, FW1010 maintenance operations a SRIOV network adapter can be improperly configured leading to desired VEPA configuration being disabled. IBM X-Force ID: 229695.

authentification

"IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, and 22.0.1 could disclose sensitive version information to authenticated users

CVE-2022-35279 4.3 - Medium - November 03, 2022

"IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, and 22.0.1 could disclose sensitive version information to authenticated users which could be used in further attacks against the system. IBM X-Force ID: 230537."

Cleartext Storage of Sensitive Information

"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could

CVE-2022-40230 6.5 - Medium - November 03, 2022

"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532."

Insufficient Session Expiration

"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could

CVE-2022-43574 7.5 - High - November 03, 2022

"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."

Incorrect Default Permissions

"IBM Cognos Analytics 11.2.1, 11.2.0, 11.1.7 stores user credentials in plain clear text which can be read by an authenticated user

CVE-2022-34339 6.5 - Medium - November 03, 2022

"IBM Cognos Analytics 11.2.1, 11.2.0, 11.1.7 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 229963."

Cleartext Storage of Sensitive Information

IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text

CVE-2021-39077 4.4 - Medium - November 03, 2022

IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587.

Cleartext Storage of Sensitive Information

IBM Navigator Mobile Android 3.4.1.1 and 3.4.1.2 app could

CVE-2022-38388 5.5 - Medium - October 11, 2022

IBM Navigator Mobile Android 3.4.1.1 and 3.4.1.2 app could allow a local user to obtain sensitive information due to improper access control. IBM X-Force ID: 233968.

AuthZ

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could

CVE-2022-34334 6.5 - Medium - October 10, 2022

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704.

Session Fixation

IBM Robotic Process Automation 21.0.0

CVE-2022-36774 5.3 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to man in the middle attacks through manipulation of the client proxy configuration. IBM X-Force ID: 233575.

authentification

IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 for Cloud Pak is vulnerable to cross-site scripting

CVE-2022-38709 6.1 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 234291.

XSS

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api

CVE-2022-41294 6.5 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api. IBM X-Force ID: 236807.

Origin Validation Error

IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim

CVE-2022-22503 6.1 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 227125.

Clickjacking

IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs

CVE-2022-39168 7.5 - High - September 29, 2022

IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs. IBM X-Force ID: 235422.

Insufficiently Protected Credentials

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which

CVE-2015-1931 5.5 - Medium - September 29, 2022

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.

Cleartext Storage of Sensitive Information

IBM Rational Asset Manager 7.5 could allow a remote attacker to bypass security restrictions

CVE-2011-4820 4.3 - Medium - September 29, 2022

IBM Rational Asset Manager 7.5 could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using the UID parameter to modify another user's preferences.

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input

CVE-2012-2160 6.1 - Medium - September 29, 2022

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

XSS

IBM WebSphere MQ 7.1 is vulnerable to a denial of service, caused by an error when handling user ids

CVE-2012-2201 7.5 - High - September 29, 2022

IBM WebSphere MQ 7.1 is vulnerable to a denial of service, caused by an error when handling user ids. A remote attacker could exploit this vulnerability to bypass the security configuration setup on a SVRCONN channel and flood the queue manager.

IBM InfoSphere Information Server 8.1, 8.5, and 8,7 could

CVE-2012-4818 6.5 - Medium - September 29, 2022

IBM InfoSphere Information Server 8.1, 8.5, and 8,7 could allow a remote authenticated attacker to obtain sensitive information, caused by improper restrictions on directories. An attacker could exploit this vulnerability via the DataStage application to load or import content functionality to view arbitrary files on the system.

IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from

CVE-2022-36771 6.5 - Medium - September 28, 2022

IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.

Exposure of Resource to Wrong Sphere

IBM Jazz for Service Management is vulnerable to stored cross-site scripting

CVE-2022-35722 5.4 - Medium - September 28, 2022

IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231381.

XSS

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF)

CVE-2022-35282 6.5 - Medium - September 28, 2022

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker with local network access could exploit this vulnerability to obtain sensitive data.

XSPA

IBM Application Gateway is vulnerable to cross-site scripting

CVE-2022-22387 5.4 - Medium - September 28, 2022

IBM Application Gateway is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221965.

XSS

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2022-34348 7.1 - High - September 23, 2022

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.

XXE

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could

CVE-2022-40616 8.1 - High - September 21, 2022

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to. IBM X-Force ID: 236311.

authentification

Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus

CVE-2022-40234 5.9 - Medium - September 19, 2022

Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate. IBM X-Force ID: 235718.

Exposure of Resource to Wrong Sphere

IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation

CVE-2022-40608 7.5 - High - September 19, 2022

IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack. This results in the restore operation gaining access to files which the operator should not have access to. IBM X-Force ID: 235873.

Directory traversal

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could

CVE-2021-38924 7.5 - High - September 14, 2022

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.

Exposure of Resource to Wrong Sphere

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could

CVE-2022-34356 7.8 - High - September 13, 2022

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to obtain root privileges. IBM X-Force ID: 230502.

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could

CVE-2022-36768 7.8 - High - September 13, 2022

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to obtain root privileges. IBM X-Force ID: 232014.

Command Injection

IBM Planning Analytics Local 2.0 allows web pages to be stored locally which can be read by another user on the system

CVE-2022-22314 3.3 - Low - September 08, 2022

IBM Planning Analytics Local 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 217371.

Exposure of Resource to Wrong Sphere

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could

CVE-2021-39045 5.5 - Medium - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345.

Exposure of Resource to Wrong Sphere

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4301 6.5 - Medium - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609.

Session Riding

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-20468 6.5 - Medium - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 196825.

Session Riding

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-29823 6.5 - Medium - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.

Session Riding

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 stores user credentials in plain clear text which can be read by a local privileged user

CVE-2021-39009 5.5 - Medium - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 213554.

Cleartext Storage of Sensitive Information

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to a denial of service

CVE-2022-30614 7.5 - High - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to a denial of service via email flooding caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available CPU resources. IBM X-Force ID: 227591.

Resource Exhaustion

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2022-36773 8.1 - High - September 01, 2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.

XXE

IBM Security Identity Manager 6.0 and 6.0.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack

CVE-2021-29864 6.1 - Medium - August 30, 2022

IBM Security Identity Manager 6.0 and 6.0.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 206089

Open Redirect

IBM Engineering Test Management 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting

CVE-2021-38934 5.4 - Medium - August 29, 2022

IBM Engineering Test Management 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210671.

XSS

IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2022-31773 8.8 - High - August 26, 2022

IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357.

Session Riding

IBM Maximo Asset Management 7.6.1 is vulnerable to cross-site scripting

CVE-2022-35714 5.4 - Medium - August 26, 2022

IBM Maximo Asset Management 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231116.

XSS

IBM Security Verify Governance Identity Manager 10.0 virtual appliance component performs an operation at a privilege level

CVE-2022-22455 9.8 - Critical - August 17, 2022

IBM Security Verify Governance Identity Manager 10.0 virtual appliance component performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 224989.

IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwrite key system files which would cause the system to crash

CVE-2022-22369 7.1 - High - August 10, 2022

IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwrite key system files which would cause the system to crash. IBM X-Force ID: 221187.

IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking action of the victim

CVE-2022-34162 6.1 - Medium - August 01, 2022

IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 229332.

Clickjacking

IBM CICS TX 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers

CVE-2022-34163 6.1 - Medium - August 01, 2022

IBM CICS TX 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 229333.

XSS

IBM CICS TX 11.1 could allow a local user to impersonate another legitimate user due to improper input validation

CVE-2022-34164 5.5 - Medium - August 01, 2022

IBM CICS TX 11.1 could allow a local user to impersonate another legitimate user due to improper input validation. IBM X-Force ID: 229338.

Improper Input Validation

IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies

CVE-2022-34307 4.3 - Medium - August 01, 2022

IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 229436.

AuthZ

IBM CICS TX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2022-34161 8.8 - High - August 01, 2022

IBM CICS TX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 229331.

Session Riding

IBM CICS TX 11.1 could allow allow an attacker with physical access to the system to execute code due using a back and refresh attack

CVE-2022-33955 6.8 - Medium - August 01, 2022

IBM CICS TX 11.1 could allow allow an attacker with physical access to the system to execute code due using a back and refresh attack. IBM X-Force ID: 229312.

Shell injection

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0

CVE-2022-32750 5.4 - Medium - August 01, 2022

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435.

XSS

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created

CVE-2022-33169 6.5 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.

Insufficiently Protected Credentials

IBM Robotic Process Automation 21.0.0

CVE-2022-34338 6.5 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could disclose sensitive information due to improper privilege management for storage provider types. IBM X-Force ID: 229962.

Improper Privilege Management

IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could

CVE-2022-35716 6.5 - Medium - August 01, 2022

IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360.

Exposure of Resource to Wrong Sphere

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0

CVE-2022-31774 5.4 - Medium - August 01, 2022

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358.

XSS

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0

CVE-2022-31775 9.1 - Critical - August 01, 2022

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.

XXE

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0

CVE-2022-31776 8.8 - High - August 01, 2022

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.

XSPA

IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could

CVE-2022-22326 3.3 - Low - August 01, 2022

IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856.

AuthZ

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could

CVE-2022-22334 4.3 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user to access information from a tenant of which they should not have access. IBM X-Force ID: 219391.

Exposure of Resource to Wrong Sphere

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow IBM tenant credentials to be exposed

CVE-2022-22505 7.5 - High - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow IBM tenant credentials to be exposed. IBM X-Force ID: 227288.

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could

CVE-2022-30616 7.2 - High - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to elevate their privilege to platform administrator through manipulation of APIs. IBM X-Force ID: 227978.

Improper Privilege Management

IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with system configuration or cause a denial of service

CVE-2022-35643 9.1 - Critical - July 29, 2022

IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with system configuration or cause a denial of service. IBM X-Force ID: 230956.

IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie

CVE-2022-35284 7.5 - High - July 25, 2022

IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811.

Reliance on Cookies without Validation and Integrity Checking

IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key

CVE-2022-35287 7.5 - High - July 25, 2022

IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817.

Use of Hard-coded Credentials

IBM Security Verify Information Queue 10.0.2 could allow a user to obtain sensitive information

CVE-2022-35288 6.5 - Medium - July 25, 2022

IBM Security Verify Information Queue 10.0.2 could allow a user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 230818.

Exposure of Resource to Wrong Sphere

IBM Sterling Partner Engagement Manager 6.1.2

CVE-2022-22358 7.1 - High - July 19, 2022

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.

XXE

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2022-22359 6.5 - Medium - July 19, 2022

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 220652.

Session Riding

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 could

CVE-2022-22360 8.8 - High - July 19, 2022

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 220782.

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to server-side request forgery (SSRF)

CVE-2022-22416 5.4 - Medium - July 19, 2022

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 223126.

XSPA

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site scripting

CVE-2022-22417 5.4 - Medium - July 19, 2022

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223127.

XSS

An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition

CVE-2022-22445 6.5 - Medium - July 18, 2022

An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware.

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting

CVE-2021-29788 5.4 - Medium - July 18, 2022

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203310.

XSS

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting

CVE-2021-29790 5.4 - Medium - July 18, 2022

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203440.

XSS

IBM Engineering Requirements Quality Assistant On-Premises (All versions) could

CVE-2021-29799 6.5 - Medium - July 18, 2022

IBM Engineering Requirements Quality Assistant On-Premises (All versions) could allow an authenticated user to obtain sensitive information due to improper client side validation. IBM X-Force ID: 203738.

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-38868 6.5 - Medium - July 18, 2022

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force Id: 208310.

Session Riding

IBM QRadar Network Security 5.4.0 and 5.5.0 contains hard-coded credentials, such as a password or cryptographic key

CVE-2020-4157 7.5 - High - July 12, 2022

IBM QRadar Network Security 5.4.0 and 5.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174337.

Use of Hard-coded Credentials

IBM QRadar Network Security 5.4.0 and 5.5.0 discloses sensitive information to unauthorized users

CVE-2020-4159 7.5 - High - July 12, 2022

IBM QRadar Network Security 5.4.0 and 5.5.0 discloses sensitive information to unauthorized users which could be used to mount further attacks against the system. IBM X-Force ID: 174339.

Information Disclosure

IBM QRadar SIEM 7.3

CVE-2021-39041 5.3 - Medium - July 12, 2022

IBM QRadar SIEM 7.3, 7.4, and 7.5 may be vulnerable to partial denial of service attack, resulting in some protocols not listening to specified ports. IBM X-Force ID: 214028.

IBM SiteProtector Appliance 3.1.1 allows web pages to be stored locally which can be read by another user on the system

CVE-2020-4138 5.5 - Medium - July 11, 2022

IBM SiteProtector Appliance 3.1.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 174049.

IBM SiteProtector Appliance 3.1.1 contains hard-coded credentials, such as a password or cryptographic key

CVE-2020-4150 9.8 - Critical - July 11, 2022

IBM SiteProtector Appliance 3.1.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174142.

Use of Hard-coded Credentials

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting

CVE-2022-22370 5.4 - Medium - July 08, 2022

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221194.

XSS

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection

CVE-2022-22463 6.5 - Medium - July 08, 2022

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 225079.

SQL Injection

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 uses weaker than expected cryptographic algorithms

CVE-2022-22464 7.5 - High - July 08, 2022

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 225081.

Inadequate Encryption Strength

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 could

CVE-2022-22465 7.8 - High - July 08, 2022

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 could allow a local user to obtain elevated privileges due to improper access permissions. IBM X-Force ID: 225082.

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request

CVE-2022-22476 8.8 - High - July 08, 2022

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.

Authentication Bypass by Spoofing

IBM App Connect Enterprise Certified Container 4.2 could

CVE-2022-31770 4.9 - Medium - July 05, 2022

IBM App Connect Enterprise Certified Container 4.2 could allow a user from the administration console to cause a denial of service by creating a specially crafted request. IBM X-Force ID: 228221.

IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text

CVE-2022-22366 4.4 - Medium - July 01, 2022

IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 22106.

Cleartext Storage of Sensitive Information