IBM
Products by IBM Sorted by Most Security Vulnerabilities since 2018
Known Exploited IBM Vulnerabilities
The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
IBM Aspera Faspex Code Execution Vulnerability | IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. CVE-2022-47986 | February 21, 2023 |
IBM InfoSphere BigInsights Invalid Input Vulnerability | Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. CVE-2013-3993 | May 25, 2022 |
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. | Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands CVE-2015-7450 | January 10, 2022 |
IBM Data Risk Manager Arbritary File Download | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. CVE-2020-4430 | November 3, 2021 |
IBM Data Risk Manager Authentication Bypass | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. CVE-2020-4427 | November 3, 2021 |
IBM Data Risk Manager Command Injection | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. CVE-2020-4428 | November 3, 2021 |
IBM Planning Analytics configuration overwrite vulnerability | IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. CVE-2019-4716 | November 3, 2021 |
By the Year
In 2023 there have been 191 vulnerabilities in IBM with an average score of 6.9 out of ten. Last year IBM had 266 security vulnerabilities published. Right now, IBM is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.54.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 191 | 6.93 |
2022 | 266 | 6.39 |
2021 | 373 | 6.05 |
2020 | 339 | 6.23 |
2019 | 439 | 6.09 |
2018 | 307 | 6.37 |
It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Security Vulnerabilities
IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting
CVE-2023-43057
5.4 - Medium
- November 11, 2023
IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267484.
IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service
CVE-2023-45167
5.5 - Medium
- November 10, 2023
IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965.
A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10
CVE-2023-45189
6.5 - Medium
- November 03, 2023
A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials. This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials. IBM X-Force ID: 268752.
IBM MQ Appliance 9.3 CD could
CVE-2023-46176
7.8 - High
- November 03, 2023
IBM MQ Appliance 9.3 CD could allow a local attacker to gain elevated privileges on the system, caused by improper validation of security keys. IBM X-Force ID: 269535.
Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability
CVE-2023-40685
7.8 - High
- October 29, 2023
Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain root access to the operating system. IBM X-Force ID: 264116.
Improper Privilege Management
Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability
CVE-2023-40686
7.8 - High
- October 29, 2023
Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain component access to the operating system. IBM X-Force ID: 264114.
Improper Privilege Management
IBM QRadar SIEM 7.5 is vulnerable to information exposure
CVE-2023-43041
4.9 - Medium
- October 29, 2023
IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a delegated Admin tenant user with a specific domain security profile assigned to see data from other domains. This vulnerability is due to an incomplete fix for CVE-2022-34352. IBM X-Force ID: 266808.
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling
CVE-2023-46158
9.8 - Critical
- October 25, 2023
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.
Insufficient Session Expiration
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key
CVE-2022-22466
9.8 - Critical
- October 23, 2023
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.
Use of Hard-coded Credentials
IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission
CVE-2023-33837
7.5 - High
- October 23, 2023
IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.
Missing Encryption of Sensitive Data
IBM Security Verify Governance 10.0 could
CVE-2023-33839
8.8 - High
- October 23, 2023
IBM Security Verify Governance 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 256036.
Shell injection
IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting
CVE-2023-33840
4.8 - Medium
- October 23, 2023
IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256037.
XSS
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting
CVE-2023-38722
5.4 - Medium
- October 23, 2023
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262174.
XSS
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could
CVE-2023-43045
7.5 - High
- October 23, 2023
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized actions due to improper authentication. IBM X-Force ID: 266896.
Missing Authentication for Critical Function
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables
CVE-2023-38276
7.5 - High
- October 22, 2023
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables which could aid in further attacks against the system. IBM X-Force ID: 260736.
Cleartext Transmission of Sensitive Information
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could
CVE-2023-38735
6.5 - Medium
- October 22, 2023
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.
authentification
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images
CVE-2023-38275
7.5 - High
- October 22, 2023
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images which could lead to further attacks against the system. IBM X-Force ID: 260730.
Cleartext Transmission of Sensitive Information
IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could
CVE-2023-38280
7.8 - High
- October 16, 2023
IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 260740.
Improper Privilege Management
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key
CVE-2023-33836
9.8 - Critical
- October 16, 2023
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 256016.
Use of Hard-coded Credentials
Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability
CVE-2023-40377
7.8 - High
- October 16, 2023
Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system. IBM X-Force ID: 263583.
IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code
CVE-2023-35013
4.4 - Medium
- October 16, 2023
IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code. IBM X-Force ID: 257769.
Exposure of Resource to Wrong Sphere
IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation
CVE-2023-35018
7.2 - High
- October 16, 2023
IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation. IBM X-Force ID: 259382.
Unrestricted File Upload
IBM Directory Server for IBM i contains a local privilege escalation vulnerability
CVE-2023-40378
7.8 - High
- October 15, 2023
IBM Directory Server for IBM i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system. IBM X-Force ID: 263584.
IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23
CVE-2023-45176
5.5 - Medium
- October 14, 2023
IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.10.0 and IBM Integration Bus 10.1 through 10.1.0.1 are vulnerable to a denial of service for integration nodes on Windows. IBM X-Force ID: 247998.
IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption
CVE-2022-43740
7.5 - High
- October 14, 2023
IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 238921.
Resource Exhaustion
IBM Security Verify Access OIDC Provider could disclose directory information
CVE-2022-43868
5.3 - Medium
- October 14, 2023
IBM Security Verify Access OIDC Provider could disclose directory information that could aid attackers in further attacks against the system. IBM X-Force ID: 239445.
IBM Cloud Pak for Business Automation 18.0.0
CVE-2023-35024
7.6 - High
- October 14, 2023
IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 258349.
XSS
IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data
CVE-2022-32755
9.1 - Critical
- October 14, 2023
IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505.
XXE
IBM Security Directory Server 6.4.0 could
CVE-2022-33161
5.9 - Medium
- October 14, 2023
IBM Security Directory Server 6.4.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 228569.
Missing Encryption of Sensitive Data
IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system
CVE-2022-33165
7.5 - High
- October 14, 2023
IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 228582.
Directory traversal
IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an unspecified vulnerability
CVE-2023-40682
4.4 - Medium
- October 13, 2023
IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an unspecified vulnerability that could allow a local privileged user to obtain sensitive information from API logs. IBM X-Force ID: 263833.
Insertion of Sensitive Information into Log File
IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms
CVE-2022-33160
7.5 - High
- October 06, 2023
IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568.
Use of a Broken or Risky Cryptographic Algorithm
IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user
CVE-2022-34355
5.5 - Medium
- October 06, 2023
IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user that could be used in further attacks against the system. IBM X-Force ID: 230498.
IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could
CVE-2023-35897
7.8 - High
- October 06, 2023
IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.
DLL preloading
IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting
CVE-2023-40684
5.4 - Medium
- October 04, 2023
IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 264019.
XSS
IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could
CVE-2023-40376
6.5 - Medium
- October 04, 2023
IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could allow an authenticated user to make changes to environment variables due to improper authentication controls. IBM X-Force ID: 263581.
authentification
IBM Observability with Instana 1.0.243 through 1.0.254 could
CVE-2023-37404
9.8 - Critical
- October 04, 2023
IBM Observability with Instana 1.0.243 through 1.0.254 could allow an attacker on the network to execute arbitrary code on the host after a successful DNS poisoning attack. IBM X-Force ID: 259789.
IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting
CVE-2023-35905
5.4 - Medium
- October 04, 2023
IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 259384.
XSS
IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations
CVE-2022-22447
7.5 - High
- October 04, 2023
IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations that could disclose unintended information. IBM X-Force ID: 224648.
IBM License Metric Tool 9.2 could allow a remote attacker to traverse directories on the system
CVE-2023-43044
7.5 - High
- September 28, 2023
IBM License Metric Tool 9.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 266893.
Directory traversal
Integrated application server for IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability
CVE-2023-40375
7.8 - High
- September 28, 2023
Integrated application server for IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 263580.
Improper Privilege Management
IBM Personal Communications 14.05, 14.06, and 15.0.0 could
CVE-2023-37410
7.8 - High
- September 20, 2023
IBM Personal Communications 14.05, 14.06, and 15.0.0 could allow a local user to escalate their privileges to the SYSTEM user due to overly permissive access controls. IBM X-Force ID: 260138.
IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information
CVE-2023-38718
5.3 - Medium
- September 20, 2023
IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information from access to RPA scripts, workflows and related data. IBM X-Force ID: 261606.
IBM Storage Protect 8.1.0.0 through 8.1.19.0 could
CVE-2023-40368
4.4 - Medium
- September 20, 2023
IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456.
IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection
CVE-2023-32332
5.4 - Medium
- September 08, 2023
IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 255072.
XSS
IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system
CVE-2022-33164
9.1 - Critical
- September 08, 2023
IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.
Directory traversal
IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack
CVE-2023-38736
7.8 - High
- September 08, 2023
IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack that a normal user could utilize to gain SYSTEM permissions. IBM X-Force ID: 262542.
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could
CVE-2023-29261
5.5 - Medium
- September 05, 2023
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow a local user with specific information about the system to obtain privileged information due to inadequate memory clearing during operations. IBM X-Force ID: 252139.
Insecure Storage of Sensitive Information
IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text
CVE-2023-32338
5.5 - Medium
- September 05, 2023
IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access. IBM X-Force ID: 255585.
Insufficiently Protected Credentials
IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data
CVE-2023-35892
9.1 - Critical
- September 05, 2023
IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786.
XXE
IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection
CVE-2023-22877
8.8 - High
- August 28, 2023
IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.
CSV Injection
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user
CVE-2023-23473
8.8 - High
- August 28, 2023
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 245400.
Session Riding
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could
CVE-2023-26270
9.8 - Critical
- August 28, 2023
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to execute arbitrary code on the system, caused by an angular template injection flaw. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 248119.
XSS
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting
CVE-2023-26271
7.5 - High
- August 28, 2023
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 248126.
Improper Restriction of Excessive Authentication Attempts
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could
CVE-2023-26272
5.3 - Medium
- August 28, 2023
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 248133.
Generation of Error Message Containing Sensitive Information
IBM InfoSphere Information Systems 11.7 could expose information about the host system and environment configuration
CVE-2023-24959
7.5 - High
- August 28, 2023
IBM InfoSphere Information Systems 11.7 could expose information about the host system and environment configuration. IBM X-Force ID: 246332.
IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts
CVE-2022-43904
7.5 - High
- August 28, 2023
IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. IBM X-Force ID: 240895.
Improper Restriction of Excessive Authentication Attempts
IBM Security Guardium 11.4 could
CVE-2022-43907
8.8 - High
- August 27, 2023
IBM Security Guardium 11.4 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 240901.
Shell injection
IBM Security Guardium 11.4 is vulnerable to cross-site scripting
CVE-2022-43909
5.4 - Medium
- August 27, 2023
IBM Security Guardium 11.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 240905.
XSS
IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to stored cross-site scripting
CVE-2023-30435
5.4 - Medium
- August 27, 2023
IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 252291.
XSS
IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to cross-site scripting
CVE-2023-30436
5.4 - Medium
- August 27, 2023
IBM Security Guardium 11.3, 11.4, and 11.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 252292.
XSS
IBM Security Guardium 11.3, 11.4, and 11.5 could
CVE-2023-30437
5.3 - Medium
- August 27, 2023
IBM Security Guardium 11.3, 11.4, and 11.5 could allow an unauthorized user to enumerate usernames by sending a specially crafted HTTP request. IBM X-Force ID: 252293.
IBM Security Guardium 11.4 is vulnerable to SQL injection
CVE-2023-33852
5.4 - Medium
- August 27, 2023
IBM Security Guardium 11.4 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 257614.
SQL Injection
IBM Storage Copy Data Management 2.2.0.0 through 2.2.19.0 uses weaker than expected cryptographic algorithms
CVE-2023-38730
7.5 - High
- August 27, 2023
IBM Storage Copy Data Management 2.2.0.0 through 2.2.19.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 262268.
Use of a Broken or Risky Cryptographic Algorithm
IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could
CVE-2023-40371
5.5 - Medium
- August 24, 2023
IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls. IBM X-Force ID: 263476.
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information
CVE-2023-35009
5.3 - Medium
- August 16, 2023
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks. IBM X-Force ID: 257703.
Generation of Error Message Containing Sensitive Information
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF)
CVE-2023-35011
5.4 - Medium
- August 16, 2023
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 257705.
XSPA
IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service
CVE-2023-38737
7.5 - High
- August 16, 2023
IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 262567.
Resource Exhaustion
The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability
CVE-2023-38721
7.8 - High
- August 14, 2023
The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability. A malicious actor could gain access to a command line with elevated privileges allowing root access to the host operating system. IBM X-Force ID: 262173.
IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could
CVE-2022-40609
9.8 - Critical
- August 02, 2023
IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
Marshaling, Unmarshaling
IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes
CVE-2023-23476
6.5 - Medium
- August 02, 2023
IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425.
AuthZ
IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting
CVE-2023-22595
5.4 - Medium
- July 31, 2023
IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244076.
XSS
IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could
CVE-2023-24971
6.5 - Medium
- July 31, 2023
IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976.
Marshaling, Unmarshaling
IBM TRIRIGA 3.0, 4.0, and 4.4 could
CVE-2020-4868
5.3 - Medium
- July 31, 2023
IBM TRIRIGA 3.0, 4.0, and 4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190744.
Generation of Error Message Containing Sensitive Information
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system
CVE-2023-35016
6.5 - Medium
- July 31, 2023
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 257772.
Directory traversal
IBM Security Verify Governance, Identity Manager 10.0 could
CVE-2023-35019
8.8 - High
- July 31, 2023
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 257873.
Shell injection
IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.6.1 could
CVE-2022-43831
7.8 - High
- July 31, 2023
IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.6.1 could allow a local user to obtain escalated privileges on a host without proper security context settings configured. IBM X-Force ID: 238941.
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting
CVE-2023-28530
5.4 - Medium
- July 22, 2023
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting, caused by improper validation of SVG Files in Custom Visualizations. A remote attacker could exploit this vulnerability to execute scripts in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 251214.
XSS
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting
CVE-2023-25929
5.4 - Medium
- July 22, 2023
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 247861.
XSS
Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs
CVE-2023-26026
7.5 - High
- July 19, 2023
Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.
Insertion of Sensitive Information into Log File
IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server
CVE-2023-27877
7.5 - High
- July 19, 2023
IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database. IBM X-Force ID: 247905.
authentification
Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs
CVE-2023-26023
7.5 - High
- July 19, 2023
Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.
Insertion of Sensitive Information into Log File
IBM MQ 9.0 LTS
CVE-2023-28513
7.5 - High
- July 19, 2023
IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.3 CD and IBM MQ Appliance 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.2 LTS, under certain configurations, is vulnerable to a denial of service attack caused by an error processing messages. IBM X-Force ID: 250397.
IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack
CVE-2023-30433
5.4 - Medium
- July 19, 2023
IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 252186.
Open Redirect
The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability
CVE-2023-30988
7.8 - High
- July 16, 2023
The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 254016.
IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability
CVE-2023-30989
7.8 - High
- July 16, 2023
IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain all object access to the host operating system. IBM X-Force ID: 254017.
IBM Cognos Analytics on Cloud Pak for Data 4.0 could allow an attacker to make system calls
CVE-2023-28953
4.3 - Medium
- July 10, 2023
IBM Cognos Analytics on Cloud Pak for Data 4.0 could allow an attacker to make system calls that might compromise the security of the containers due to misconfigured security context. IBM X-Force ID: 251465.
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request
CVE-2023-28955
6.5 - Medium
- July 10, 2023
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection
CVE-2023-28958
7.8 - High
- July 10, 2023
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 251782.
CSV Injection
IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting
CVE-2021-39014
5.4 - Medium
- July 07, 2023
IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213650.
XSS
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security
CVE-2023-35890
5.5 - Medium
- July 07, 2023
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.
Use of a Broken or Risky Cryptographic Algorithm
IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture
CVE-2023-30990
9.8 - Critical
- July 04, 2023
IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.
Code Injection
IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack
CVE-2023-27866
9.8 - Critical
- June 28, 2023
IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511.
Code Injection
IBM Cloud Pak for Security (CP4S) 1.9.0.0 through 1.9.2.0 could
CVE-2023-30993
7.5 - High
- June 27, 2023
IBM Cloud Pak for Security (CP4S) 1.9.0.0 through 1.9.2.0 could allow an attacker with a valid API key for one tenant to access data from another tenant's account. IBM X-Force ID: 254136.
Information Disclosure
IBM Business Automation Workflow is vulnerable to cross-site scripting
CVE-2023-32339
6.1 - Medium
- June 27, 2023
IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 255587.
XSS
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types
CVE-2022-33166
7.2 - High
- June 15, 2023
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 228586.
Unrestricted File Upload
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting
CVE-2022-32757
7.5 - High
- June 15, 2023
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 228510.
Improper Restriction of Excessive Authentication Attempts
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could
CVE-2022-32752
8.8 - High
- June 15, 2023
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 228439.
Shell injection
IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption
CVE-2022-33168
7.5 - High
- June 15, 2023
IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.
Resource Exhaustion
IBM Security Directory Suite VA 8.0.1 specifies permissions for a security-critical resource in a way
CVE-2022-33163
8.1 - High
- June 15, 2023
IBM Security Directory Suite VA 8.0.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 228571.
Incorrect Permission Assignment for Critical Resource