IBM

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting

CVE-2023-43057 5.4 - Medium - November 11, 2023

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267484.

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service

CVE-2023-45167 5.5 - Medium - November 10, 2023

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965.

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10

CVE-2023-45189 6.5 - Medium - November 03, 2023

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials. This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials. IBM X-Force ID: 268752.

IBM MQ Appliance 9.3 CD could

CVE-2023-46176 7.8 - High - November 03, 2023

IBM MQ Appliance 9.3 CD could allow a local attacker to gain elevated privileges on the system, caused by improper validation of security keys. IBM X-Force ID: 269535.

Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability

CVE-2023-40685 7.8 - High - October 29, 2023

Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain root access to the operating system. IBM X-Force ID: 264116.

Improper Privilege Management

Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability

CVE-2023-40686 7.8 - High - October 29, 2023

Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain component access to the operating system. IBM X-Force ID: 264114.

Improper Privilege Management

IBM QRadar SIEM 7.5 is vulnerable to information exposure

CVE-2023-43041 4.9 - Medium - October 29, 2023

IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a delegated Admin tenant user with a specific domain security profile assigned to see data from other domains. This vulnerability is due to an incomplete fix for CVE-2022-34352. IBM X-Force ID: 266808.

IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling

CVE-2023-46158 9.8 - Critical - October 25, 2023

IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.

Insufficient Session Expiration

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key

CVE-2022-22466 9.8 - Critical - October 23, 2023

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.

Use of Hard-coded Credentials

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission

CVE-2023-33837 7.5 - High - October 23, 2023

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.

Missing Encryption of Sensitive Data

IBM Security Verify Governance 10.0 could

CVE-2023-33839 8.8 - High - October 23, 2023

IBM Security Verify Governance 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 256036.

Shell injection

IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting

CVE-2023-33840 4.8 - Medium - October 23, 2023

IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256037.

XSS

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting

CVE-2023-38722 5.4 - Medium - October 23, 2023

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262174.

XSS

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could

CVE-2023-43045 7.5 - High - October 23, 2023

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized actions due to improper authentication. IBM X-Force ID: 266896.

Missing Authentication for Critical Function

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables

CVE-2023-38276 7.5 - High - October 22, 2023

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables which could aid in further attacks against the system. IBM X-Force ID: 260736.

Cleartext Transmission of Sensitive Information

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could

CVE-2023-38735 6.5 - Medium - October 22, 2023

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

authentification

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images

CVE-2023-38275 7.5 - High - October 22, 2023

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images which could lead to further attacks against the system. IBM X-Force ID: 260730.

Cleartext Transmission of Sensitive Information

IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could

CVE-2023-38280 7.8 - High - October 16, 2023

IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 260740.

Improper Privilege Management

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key

CVE-2023-33836 9.8 - Critical - October 16, 2023

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 256016.

Use of Hard-coded Credentials

Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability

CVE-2023-40377 7.8 - High - October 16, 2023

Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system. IBM X-Force ID: 263583.

IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code

CVE-2023-35013 4.4 - Medium - October 16, 2023

IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code. IBM X-Force ID: 257769.

Exposure of Resource to Wrong Sphere

IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation

CVE-2023-35018 7.2 - High - October 16, 2023

IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation. IBM X-Force ID: 259382.

Unrestricted File Upload

IBM Directory Server for IBM i contains a local privilege escalation vulnerability

CVE-2023-40378 7.8 - High - October 15, 2023

IBM Directory Server for IBM i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system. IBM X-Force ID: 263584.

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23

CVE-2023-45176 5.5 - Medium - October 14, 2023

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.10.0 and IBM Integration Bus 10.1 through 10.1.0.1 are vulnerable to a denial of service for integration nodes on Windows. IBM X-Force ID: 247998.

IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption

CVE-2022-43740 7.5 - High - October 14, 2023

IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 238921.

Resource Exhaustion

IBM Security Verify Access OIDC Provider could disclose directory information

CVE-2022-43868 5.3 - Medium - October 14, 2023

IBM Security Verify Access OIDC Provider could disclose directory information that could aid attackers in further attacks against the system. IBM X-Force ID: 239445.

IBM Cloud Pak for Business Automation 18.0.0

CVE-2023-35024 7.6 - High - October 14, 2023

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 258349.

XSS

IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2022-32755 9.1 - Critical - October 14, 2023

IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505.

XXE

IBM Security Directory Server 6.4.0 could

CVE-2022-33161 5.9 - Medium - October 14, 2023

IBM Security Directory Server 6.4.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 228569.

Missing Encryption of Sensitive Data

IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system

CVE-2022-33165 7.5 - High - October 14, 2023

IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 228582.

Directory traversal

IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an unspecified vulnerability

CVE-2023-40682 4.4 - Medium - October 13, 2023

IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an unspecified vulnerability that could allow a local privileged user to obtain sensitive information from API logs. IBM X-Force ID: 263833.

Insertion of Sensitive Information into Log File

IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms

CVE-2022-33160 7.5 - High - October 06, 2023

IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568.

Use of a Broken or Risky Cryptographic Algorithm

IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user

CVE-2022-34355 5.5 - Medium - October 06, 2023

IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user that could be used in further attacks against the system. IBM X-Force ID: 230498.

IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could

CVE-2023-35897 7.8 - High - October 06, 2023

IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.

DLL preloading

IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting

CVE-2023-40684 5.4 - Medium - October 04, 2023

IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 264019.

XSS

IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could

CVE-2023-40376 6.5 - Medium - October 04, 2023

IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could allow an authenticated user to make changes to environment variables due to improper authentication controls. IBM X-Force ID: 263581.

authentification

IBM Observability with Instana 1.0.243 through 1.0.254 could

CVE-2023-37404 9.8 - Critical - October 04, 2023

IBM Observability with Instana 1.0.243 through 1.0.254 could allow an attacker on the network to execute arbitrary code on the host after a successful DNS poisoning attack. IBM X-Force ID: 259789.

IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting

CVE-2023-35905 5.4 - Medium - October 04, 2023

IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 259384.

XSS

IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations

CVE-2022-22447 7.5 - High - October 04, 2023

IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations that could disclose unintended information. IBM X-Force ID: 224648.

IBM License Metric Tool 9.2 could allow a remote attacker to traverse directories on the system

CVE-2023-43044 7.5 - High - September 28, 2023

IBM License Metric Tool 9.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 266893.

Directory traversal

Integrated application server for IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability

CVE-2023-40375 7.8 - High - September 28, 2023

Integrated application server for IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 263580.

Improper Privilege Management

IBM Personal Communications 14.05, 14.06, and 15.0.0 could

CVE-2023-37410 7.8 - High - September 20, 2023

IBM Personal Communications 14.05, 14.06, and 15.0.0 could allow a local user to escalate their privileges to the SYSTEM user due to overly permissive access controls. IBM X-Force ID: 260138.

IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information

CVE-2023-38718 5.3 - Medium - September 20, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information from access to RPA scripts, workflows and related data. IBM X-Force ID: 261606.

IBM Storage Protect 8.1.0.0 through 8.1.19.0 could

CVE-2023-40368 4.4 - Medium - September 20, 2023

IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456.

IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection

CVE-2023-32332 5.4 - Medium - September 08, 2023

IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 255072.

XSS

IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system

CVE-2022-33164 9.1 - Critical - September 08, 2023

IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.

Directory traversal

IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack

CVE-2023-38736 7.8 - High - September 08, 2023

IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack that a normal user could utilize to gain SYSTEM permissions. IBM X-Force ID: 262542.

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could

CVE-2023-29261 5.5 - Medium - September 05, 2023

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow a local user with specific information about the system to obtain privileged information due to inadequate memory clearing during operations. IBM X-Force ID: 252139.

Insecure Storage of Sensitive Information

IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text

CVE-2023-32338 5.5 - Medium - September 05, 2023

IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access. IBM X-Force ID: 255585.

Insufficiently Protected Credentials

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2023-35892 9.1 - Critical - September 05, 2023

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786.

XXE

IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection

CVE-2023-22877 8.8 - High - August 28, 2023

IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.

CSV Injection

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2023-23473 8.8 - High - August 28, 2023

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 245400.

Session Riding

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could

CVE-2023-26270 9.8 - Critical - August 28, 2023

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to execute arbitrary code on the system, caused by an angular template injection flaw. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 248119.

XSS

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting

CVE-2023-26271 7.5 - High - August 28, 2023

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 248126.

Improper Restriction of Excessive Authentication Attempts

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could

CVE-2023-26272 5.3 - Medium - August 28, 2023

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 248133.

Generation of Error Message Containing Sensitive Information

IBM InfoSphere Information Systems 11.7 could expose information about the host system and environment configuration

CVE-2023-24959 7.5 - High - August 28, 2023

IBM InfoSphere Information Systems 11.7 could expose information about the host system and environment configuration. IBM X-Force ID: 246332.

IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts

CVE-2022-43904 7.5 - High - August 28, 2023

IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. IBM X-Force ID: 240895.

Improper Restriction of Excessive Authentication Attempts

IBM Security Guardium 11.4 could

CVE-2022-43907 8.8 - High - August 27, 2023

IBM Security Guardium 11.4 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 240901.

Shell injection

IBM Security Guardium 11.4 is vulnerable to cross-site scripting

CVE-2022-43909 5.4 - Medium - August 27, 2023

IBM Security Guardium 11.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 240905.

XSS

IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to stored cross-site scripting

CVE-2023-30435 5.4 - Medium - August 27, 2023

IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 252291.

XSS

IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to cross-site scripting

CVE-2023-30436 5.4 - Medium - August 27, 2023

IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 252292.

XSS

IBM Security Guardium 11.3, 11.4, and 11.5 could

CVE-2023-30437 5.3 - Medium - August 27, 2023

IBM Security Guardium 11.3, 11.4, and 11.5 could allow an unauthorized user to enumerate usernames by sending a specially crafted HTTP request. IBM X-Force ID: 252293.

IBM Security Guardium 11.4 is vulnerable to SQL injection

CVE-2023-33852 5.4 - Medium - August 27, 2023

IBM Security Guardium 11.4 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 257614.

SQL Injection

IBM Storage Copy Data Management 2.2.0.0 through 2.2.19.0 uses weaker than expected cryptographic algorithms

CVE-2023-38730 7.5 - High - August 27, 2023

IBM Storage Copy Data Management 2.2.0.0 through 2.2.19.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 262268.

Use of a Broken or Risky Cryptographic Algorithm

IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could

CVE-2023-40371 5.5 - Medium - August 24, 2023

IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls. IBM X-Force ID: 263476.

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information

CVE-2023-35009 5.3 - Medium - August 16, 2023

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks. IBM X-Force ID: 257703.

Generation of Error Message Containing Sensitive Information

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF)

CVE-2023-35011 5.4 - Medium - August 16, 2023

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 257705.

XSPA

IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service

CVE-2023-38737 7.5 - High - August 16, 2023

IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 262567.

Resource Exhaustion

The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability

CVE-2023-38721 7.8 - High - August 14, 2023

The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability. A malicious actor could gain access to a command line with elevated privileges allowing root access to the host operating system. IBM X-Force ID: 262173.

IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could

CVE-2022-40609 9.8 - Critical - August 02, 2023

IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.

Marshaling, Unmarshaling

IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes

CVE-2023-23476 6.5 - Medium - August 02, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425.

AuthZ

IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting

CVE-2023-22595 5.4 - Medium - July 31, 2023

IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244076.

XSS

IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could

CVE-2023-24971 6.5 - Medium - July 31, 2023

IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976.

Marshaling, Unmarshaling

IBM TRIRIGA 3.0, 4.0, and 4.4 could

CVE-2020-4868 5.3 - Medium - July 31, 2023

IBM TRIRIGA 3.0, 4.0, and 4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190744.

Generation of Error Message Containing Sensitive Information

IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system

CVE-2023-35016 6.5 - Medium - July 31, 2023

IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 257772.

Directory traversal

IBM Security Verify Governance, Identity Manager 10.0 could

CVE-2023-35019 8.8 - High - July 31, 2023

IBM Security Verify Governance, Identity Manager 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 257873.

Shell injection

IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.6.1 could

CVE-2022-43831 7.8 - High - July 31, 2023

IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.6.1 could allow a local user to obtain escalated privileges on a host without proper security context settings configured. IBM X-Force ID: 238941.

IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting

CVE-2023-28530 5.4 - Medium - July 22, 2023

IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting, caused by improper validation of SVG Files in Custom Visualizations. A remote attacker could exploit this vulnerability to execute scripts in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 251214.

XSS

IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting

CVE-2023-25929 5.4 - Medium - July 22, 2023

IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 247861.

XSS

Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs

CVE-2023-26026 7.5 - High - July 19, 2023

Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.

Insertion of Sensitive Information into Log File

IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server

CVE-2023-27877 7.5 - High - July 19, 2023

IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database. IBM X-Force ID: 247905.

authentification

Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs

CVE-2023-26023 7.5 - High - July 19, 2023

Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.

Insertion of Sensitive Information into Log File

IBM MQ 9.0 LTS

CVE-2023-28513 7.5 - High - July 19, 2023

IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.3 CD and IBM MQ Appliance 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.2 LTS, under certain configurations, is vulnerable to a denial of service attack caused by an error processing messages. IBM X-Force ID: 250397.

IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack

CVE-2023-30433 5.4 - Medium - July 19, 2023

IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 252186.

Open Redirect

The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability

CVE-2023-30988 7.8 - High - July 16, 2023

The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 254016.

IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability

CVE-2023-30989 7.8 - High - July 16, 2023

IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain all object access to the host operating system. IBM X-Force ID: 254017.

IBM Cognos Analytics on Cloud Pak for Data 4.0 could allow an attacker to make system calls

CVE-2023-28953 4.3 - Medium - July 10, 2023

IBM Cognos Analytics on Cloud Pak for Data 4.0 could allow an attacker to make system calls that might compromise the security of the containers due to misconfigured security context. IBM X-Force ID: 251465.

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request

CVE-2023-28955 6.5 - Medium - July 10, 2023

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection

CVE-2023-28958 7.8 - High - July 10, 2023

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 251782.

CSV Injection

IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting

CVE-2021-39014 5.4 - Medium - July 07, 2023

IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213650.

XSS

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security

CVE-2023-35890 5.5 - Medium - July 07, 2023

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.

Use of a Broken or Risky Cryptographic Algorithm

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture

CVE-2023-30990 9.8 - Critical - July 04, 2023

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.

Code Injection

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack

CVE-2023-27866 9.8 - Critical - June 28, 2023

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511.

Code Injection

IBM Cloud Pak for Security (CP4S) 1.9.0.0 through 1.9.2.0 could

CVE-2023-30993 7.5 - High - June 27, 2023

IBM Cloud Pak for Security (CP4S) 1.9.0.0 through 1.9.2.0 could allow an attacker with a valid API key for one tenant to access data from another tenant's account. IBM X-Force ID: 254136.

Information Disclosure

IBM Business Automation Workflow is vulnerable to cross-site scripting

CVE-2023-32339 6.1 - Medium - June 27, 2023

IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 255587.

XSS

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types

CVE-2022-33166 7.2 - High - June 15, 2023

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 228586.

Unrestricted File Upload

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting

CVE-2022-32757 7.5 - High - June 15, 2023

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 228510.

Improper Restriction of Excessive Authentication Attempts

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could

CVE-2022-32752 8.8 - High - June 15, 2023

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 228439.

Shell injection

IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption

CVE-2022-33168 7.5 - High - June 15, 2023

IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.

Resource Exhaustion

IBM Security Directory Suite VA 8.0.1 specifies permissions for a security-critical resource in a way

CVE-2022-33163 8.1 - High - June 15, 2023

IBM Security Directory Suite VA 8.0.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 228571.

Incorrect Permission Assignment for Critical Resource