IBM

RT @IBMNews: IBM is proud to be part of @FastCompany's 2021 Best Workplaces for Innovators List. Thank you to all IBMers for your commitmen…
Wed Aug 04 20:47:15 +0000 2021

By the Year

In 2021 there have been 235 vulnerabilities in IBM with an average score of 6.1 out of ten. Last year IBM had 338 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2021 could surpass last years number. Last year, the average CVE base score was greater by 0.16

Year	Vulnerabilities	Average Score
2021	235	6.07
2020	338	6.23
2019	438	6.11
2018	306	6.37

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

IBM Jazz Foundation products are vulnerable to cross-site scripting

CVE-2020-5004 5.4 - Medium - July 28, 2021

IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192957.

XSS

IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF)

CVE-2020-4974 6.3 - Medium - July 28, 2021

IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 192434.

XSPA

IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console

CVE-2021-20478 3.3 - Low - July 20, 2021

IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console. IBM X-Force ID: 197497.

Information Disclosure

IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authenticated user to perform actions

CVE-2021-29780 4.7 - Medium - July 19, 2021

IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authenticated user to perform actions that they should not have access to due to improper input validation. IBM X-Force ID: 203085.

Improper Input Validation

IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could

CVE-2021-29707 7.8 - High - July 19, 2021

IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 200879.

Improper Privilege Management

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-20507 5.4 - Medium - July 19, 2021

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198235.

XSS

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2020-5031 5.4 - Medium - July 19, 2021

XSS

IBM InfoSphere Data Replication 11.4 and IBM InfoSphere Change Data Capture for z/OS 10.2.1, under certain configurations, could

CVE-2020-4821 9.8 - Critical - July 16, 2021

IBM InfoSphere Data Replication 11.4 and IBM InfoSphere Change Data Capture for z/OS 10.2.1, under certain configurations, could allow a user to bypass authentication mechanisms using an empty password string. IBM X-Force ID: 189834

authentification

IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6.0.2 is vulnerable to server-side request forgery (SSRF)

CVE-2021-29749 5.4 - Medium - July 15, 2021

IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 201777.

XSPA

IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text

CVE-2021-20439 7.5 - High - July 15, 2021

IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by an unauthorized user.

Insufficiently Protected Credentials

IBM Cloud Pak for Applications 4.3 could

CVE-2021-20424 4.3 - Medium - July 13, 2021

IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309.

Generation of Error Message Containing Sensitive Information

IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions

CVE-2021-20423 8.8 - High - July 13, 2021

IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions. IBM X-Force ID: 196308.

Incorrect Permission Assignment for Critical Resource

IBM Cloud Pak for Applications 4.3 could disclose sensitive information to a malicious attacker by accessing data stored in memory

CVE-2021-20422 7.5 - High - July 13, 2021

IBM Cloud Pak for Applications 4.3 could disclose sensitive information to a malicious attacker by accessing data stored in memory. IBM X-Force ID: 196304.

Information Disclosure

IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms

CVE-2021-20369 5.9 - Medium - July 13, 2021

IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195361.

Inadequate Encryption Strength

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20368 5.4 - Medium - July 13, 2021

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195357.

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20366 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20365 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20364 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20363 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20362 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting

CVE-2021-20361 5.4 - Medium - July 13, 2021

XSS

IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms

CVE-2021-20360 7.5 - High - July 13, 2021

IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195031.

Inadequate Encryption Strength

IBM Guardium Data Encryption (GDE) 3.0.0.2 could

CVE-2021-20414 4.9 - Medium - July 12, 2021

IBM Guardium Data Encryption (GDE) 3.0.0.2 could allow a user to bruce force sensitive information due to not properly limiting the number of interactions. IBM X-Force ID: 196216.

IBM MQ Appliance 9.1 and 9.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2020-4938 8.8 - High - July 12, 2021

IBM MQ Appliance 9.1 and 9.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191815.

Session Riding

IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms

CVE-2021-29794 7.5 - High - July 12, 2021

IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 203556.

Inadequate Encryption Strength

IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could

CVE-2021-29792 7.2 - High - July 12, 2021

IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: 203450.

Improper Privilege Management

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting

CVE-2021-29822 5.4 - Medium - July 12, 2021

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204349.

XSS

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting

CVE-2021-29805 5.4 - Medium - July 12, 2021

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204263.

XSS

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting

CVE-2021-29804 5.4 - Medium - July 12, 2021

XSS

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting

CVE-2021-29803 5.4 - Medium - July 12, 2021

XSS

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection

CVE-2021-29730 8.8 - High - July 09, 2021

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 201164.

SQL Injection

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 6.2.7.8 , 6.2.7.9, 7.0.3.0, 7.0.4.0, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2 could

CVE-2021-29711 4.3 - Medium - July 08, 2021

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 6.2.7.8 , 6.2.7.9, 7.0.3.0, 7.0.4.0, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2 could allow an authenticated user with certain permissions to initiate an agent upgrade through the CLI interface. IBM X-Force ID: 200965.

Incorrect Permission Assignment for Critical Resource

IBM Guardium Data Encryption (GDE) 4.0.0.4 could

CVE-2021-20417 4.3 - Medium - July 07, 2021

IBM Guardium Data Encryption (GDE) 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196219

Generation of Error Message Containing Sensitive Information

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could

CVE-2021-20416 5.3 - Medium - July 07, 2021

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.

Exposure of Resource to Wrong Sphere

IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting

CVE-2021-20415 7.5 - High - July 07, 2021

IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196217.

Insufficiently Protected Credentials

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 uses weaker than expected cryptographic algorithms

CVE-2021-20379 7.5 - High - July 07, 2021

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195711.

Use of a Broken or Risky Cryptographic Algorithm

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could

CVE-2021-20378 8.8 - High - July 07, 2021

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709.

Insufficient Session Expiration

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality

CVE-2021-20474 7.5 - High - July 07, 2021

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Missing Authentication for Critical Function

IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could

CVE-2021-29759 2.3 - Low - July 07, 2021

IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could allow a privileged user to obtain sensitive information from internal log files. IBM X-Force ID: 202212.

Insertion of Sensitive Information into Log File

IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting

CVE-2021-20461 6.5 - Medium - June 30, 2021

IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting. An attacker could potentially bypass business logic to modify the appearance and behavior of the application. IBM X-Force ID: 196770.

AuthZ

IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2021-20580 4.3 - Medium - June 29, 2021

IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 198241.

Session Riding

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting

CVE-2021-20477 5.4 - Medium - June 29, 2021

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196949.

XSS

IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap based buffer overflow, caused by improper bounds

CVE-2021-20494 6.5 - Medium - June 28, 2021

IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap based buffer overflow, caused by improper bounds. An authenticared user could overflow the buffer and cause the service to crash. IBM X-Force ID: 197882.

Memory Corruption

IBM Guardium Data Encryption (GDE) 4.0.0.4 could

CVE-2021-20413 4.3 - Medium - June 28, 2021

Generation of Error Message Containing Sensitive Information

IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could

CVE-2021-29751 4.3 - Medium - June 28, 2021

IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could allow an authenticated user to obtain sensitive information about another user under nondefault configurations. IBM X-Force ID: 201779.

AuthZ

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user

CVE-2021-29693 4.4 - Medium - June 28, 2021

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user that is in the with elevated group privileges to cause a denial of service due to a vulnerability in the lpd daemon. IBM X-Force ID: 200255.

Improper Privilege Management

IBM Business Automation Workflow 19.0.03 and 20.0 and IBM Cloud Pak for Automation 20.0.3-IF002 and 21.0.1 are vulnerable to cross-site scripting

CVE-2021-29775 5.4 - Medium - June 28, 2021

IBM Business Automation Workflow 19.0.03 and 20.0 and IBM Cloud Pak for Automation 20.0.3-IF002 and 21.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203029.

XSS

IBM Security Identity Manager Adapters 6.0 and 7.0 could allow a remote authenticated attacker to conduct an LDAP injection

CVE-2021-20574 8.8 - High - June 28, 2021

IBM Security Identity Manager Adapters 6.0 and 7.0 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and takeover other accounts. IBM X-Force ID: 199252.

Injection

IBM Security Secret Server (IBM Security Verify Privilege Manager 10.8.2 ) could

CVE-2020-4610 7.8 - High - June 25, 2021

IBM Security Secret Server (IBM Security Verify Privilege Manager 10.8.2 ) could allow a local user to execute code due to improper integrity checks. IBM X-Force ID: 184919.

Improper Validation of Integrity Check Value

IBM Security Sevret Server (IBM Security Verify Privilege Manager 10.8.2) is vulnerable to a buffer overflow

CVE-2020-4609 7.8 - High - June 25, 2021

IBM Security Sevret Server (IBM Security Verify Privilege Manager 10.8.2) is vulnerable to a buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash. IBM X-Force ID: 184917.

Classic Buffer Overflow

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to cross-site scripting

CVE-2021-29677 5.4 - Medium - June 25, 2021

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to link injection

CVE-2021-29676 5.4 - Medium - June 25, 2021

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to link injection. By persuading a victim to click on a specially-crafted URL link, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking

Injection

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) could disclose sensitive information through an HTTP GET request by a privileged user due to improper input validation

CVE-2021-20583 4.9 - Medium - June 25, 2021

IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) could disclose sensitive information through an HTTP GET request by a privileged user due to improper input validation.. IBM X-Force ID: 199396.

Improper Input Validation

IBM AIX 7.1 could allow a non-privileged local user to exploit a vulnerability in the trace facility to expose sensitive information or cause a denial of service

CVE-2021-29706 7.1 - High - June 17, 2021

IBM AIX 7.1 could allow a non-privileged local user to exploit a vulnerability in the trace facility to expose sensitive information or cause a denial of service. IBM X-Force ID: 200663.

IBM Financial Transaction Manager 3.0.2 and 3.2.4 is vulnerable to cross-site scripting

CVE-2020-5000 5.4 - Medium - June 15, 2021

IBM Financial Transaction Manager 3.0.2 and 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192952.

XSS

IBM QRadar Analyst Workflow App 1.0 through 1.18.0 for IBM QRadar SIEM

CVE-2021-20396 3.3 - Low - June 11, 2021

IBM QRadar Analyst Workflow App 1.0 through 1.18.0 for IBM QRadar SIEM allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 196009.

Insecure Storage of Sensitive Information

IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2020-5003 9.1 - Critical - June 11, 2021

IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.

XXE

IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories

CVE-2021-20517 8.8 - High - June 07, 2021

IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435.

Directory traversal

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters

CVE-2020-5008 5.3 - Medium - June 07, 2021

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.

Insecure Storage of Sensitive Information

IBM QRadar Advisor With Watson App 1.1 through 2.5 as used on IBM QRadar SIEM 7.4 could allow a remote user to obtain sensitive information from HTTP requests

CVE-2021-20380 7.5 - High - June 03, 2021

IBM QRadar Advisor With Watson App 1.1 through 2.5 as used on IBM QRadar SIEM 7.4 could allow a remote user to obtain sensitive information from HTTP requests that could aid in further attacks against the system. IBM X-Force ID: 195712.

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-29670 5.4 - Medium - June 02, 2021

XSS

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-29668 5.4 - Medium - June 02, 2021

XSS

IBM Jazz Foundation and IBM Engineering products could

CVE-2021-20371 6.5 - Medium - June 02, 2021

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 195516.

Generation of Error Message Containing Sensitive Information

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF)

CVE-2021-20348 5.4 - Medium - June 02, 2021

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 194597.

XSPA

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF)

CVE-2021-20347 5.4 - Medium - June 02, 2021

XSPA

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF)

CVE-2021-20346 5.4 - Medium - June 02, 2021

XSPA

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF)

CVE-2021-20345 5.4 - Medium - June 02, 2021

XSPA

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF)

CVE-2021-20343 5.4 - Medium - June 02, 2021

XSPA

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2021-20338 5.4 - Medium - June 02, 2021

XSS

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting

CVE-2020-5030 5.4 - Medium - June 02, 2021

XSS

IBM Engineering Lifecycle Optimization - Publishing is vulnerable to stored cross-site scripting

CVE-2020-4977 5.4 - Medium - June 02, 2021

IBM Engineering Lifecycle Optimization - Publishing is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192470.

XSS

IBM Jazz Foundation and IBM Engineering products could

CVE-2020-4732 6.5 - Medium - June 02, 2021

IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to obtain sensitive information due to lack of security restrictions. IBM X-Force ID: 188126.

Information Disclosure

IBM Jazz Foundation and IBM Engineering products could

CVE-2020-4495 8.8 - High - June 02, 2021

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request to the REST API, an attacker could exploit this vulnerability to bypass access restrictions, and execute arbitrary actions with administrative privileges. IBM X-Force ID: 182114.

AuthZ

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code

CVE-2020-4520 8.8 - High - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. IBM X-Force ID: 182395.

Code Injection

IBM Cognos Analytics 11.0 and 11.1 could

CVE-2019-4722 4.3 - Medium - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information via a stack trace due to mishandling of certain error conditions. IBM X-Force ID: 172128.

Information Disclosure

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions

CVE-2020-4561 10 - Critical - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

Inclusion of Functionality from Untrusted Control Sphere

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting

CVE-2020-4354 5.4 - Medium - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178506.

XSS

IBM Cognos Analytics 11.0 and 11.1 could

CVE-2019-4724 7.5 - High - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID: 172130.

Insufficiently Protected Credentials

IBM Cognos Analytics 11.0 and 11.1 could

CVE-2019-4723 7.5 - High - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force ID: 172129.

Insufficiently Protected Credentials

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting

CVE-2019-4653 5.4 - Medium - June 01, 2021

XSS

IBM Cognos Analytics 11.0 and 11.1 could

CVE-2019-4471 6.5 - Medium - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 163780.

Information Disclosure

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2020-4300 8.2 - High - June 01, 2021

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 176607.

XXE

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data

CVE-2019-4730 7.1 - High - June 01, 2021

XXE

IBM Security Verify Access 20.07 could disclose sensitive information in HTTP server headers

CVE-2021-20585 5.3 - Medium - June 01, 2021

IBM Security Verify Access 20.07 could disclose sensitive information in HTTP server headers that could be used in further attacks against the system. IBM X-Force ID: 199398.

Information Disclosure

IBM Security Verify Access 20.07 could allow a remote attacker to send a specially crafted HTTP GET request

CVE-2021-20576 7.5 - High - June 01, 2021

IBM Security Verify Access 20.07 could allow a remote attacker to send a specially crafted HTTP GET request that could cause the application to crash.

IBM Security Verify Access 20.07 allows web pages to be stored locally which can be read by another user on the system

CVE-2021-20575 3.3 - Low - June 01, 2021

IBM Security Verify Access 20.07 allows web pages to be stored locally which can be read by another user on the system. X-Force ID: 199278.

Insecure Storage of Sensitive Information

IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability

CVE-2021-29740 7.8 - High - June 01, 2021

IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.

Use of Externally-Controlled Format String

IBM Security Verify Access 20.07 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could

CVE-2021-29665 7.8 - High - June 01, 2021

IBM Security Verify Access 20.07 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with elevated privileges.

Memory Corruption

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could

CVE-2019-4588 7.8 - High - May 26, 2021

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to execute arbitrary code and conduct DLL hijacking attacks.

DLL preloading

IBM WebSphere Application Server 8.0

CVE-2021-20492 8.2 - High - May 26, 2021

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.

XXE

IBM Spectrum Scale 5.1.0.1 could allow a local with access to the GUI pod container to obtain sensitive cryptographic keys

CVE-2021-29708 6.7 - Medium - May 25, 2021

IBM Spectrum Scale 5.1.0.1 could allow a local with access to the GUI pod container to obtain sensitive cryptographic keys that could allow them to elevate their privileges. IBM X-Force ID: 200883.

Improper Privilege Management

IBM Security Guardium 11.2 is vulnerable to cross-site scripting

CVE-2021-20386 6.1 - Medium - May 24, 2021

IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195767.

XSS

IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system

CVE-2021-20385 7.2 - High - May 24, 2021

IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 195766.

IBM Security Guardium 11.2 is vulnerable to SQL injection

CVE-2020-4990 8.8 - High - May 24, 2021

IBM Security Guardium 11.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 192710.

SQL Injection

IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could

CVE-2020-4850 7.5 - High - May 20, 2021

IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration. IBM X-Force ID: 190298.

Output Sanitization

IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information

CVE-2021-20529 5.3 - Medium - May 19, 2021

IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further attacks against the system. IBM X-Force ID: 198763.

Information Disclosure

IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting

CVE-2021-20528 5.4 - Medium - May 19, 2021

IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198761.

XSS

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could

CVE-2020-4646 4.3 - Medium - May 19, 2021

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could allow an authenticated user to view pages they shoiuld not have access to due to improper authorization control.

AuthZ

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting

CVE-2021-20374 5.4 - Medium - May 19, 2021

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195522.

XSS

IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system

CVE-2020-4765 3.3 - Low - May 19, 2021

IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 188902.

Insecure Storage of Sensitive Information