IBM Maximo Application Suite

IBM Maximo Application Suite 9.x Auth Bypass Remote Access
CVE-2025-36386 9.8 - Critical - October 28, 2025

IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.

Authentication Bypass by Primary Weakness

IBM Maximo App Suite 9.0 RBAC Priv Escalation via Config
CVE-2025-2898 8.8 - High - May 06, 2025

IBM Maximo Application Suite 9.0 could allow an attacker with some level of access to elevate their privileges due to a security configuration vulnerability in Role-Based Access Control (RBAC) configurations.

Incorrect Privilege Assignment

IBM Maximo AS 8.11/9.0 Authenticated Input Validation Unauthorized Action
CVE-2023-43037 6.5 - Medium - April 10, 2025

IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated user to perform unauthorized actions due to improper input validation.

Improper Input Validation

Authenticated File Upload Vulnerability in IBM Maximo 9.0 (CVE-2025-1500)
CVE-2025-1500 8 - High - April 05, 2025

IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.

Unrestricted File Upload

IBM Maximo AS 8.10/8.11/9.0 Monitor Comp Leaks Source Code
CVE-2024-35144 5.3 - Medium - January 25, 2025

IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system.

Inclusion of Sensitive Information in Source Code

IBM Maximo App Suite 9.0.0 Monitor XSS: Unauth JavaScript Injection
CVE-2024-35145 6.1 - Medium - January 25, 2025

IBM Maximo Application Suite 9.0.0 - Monitor Component is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Maximo AS 8.10, 8.11, 9.0 Monitor Component SQLi
CVE-2024-35148 8.8 - High - January 25, 2025

IBM Maximo Application Suite 8.10.10, 8.11.7, and 9.0 - Monitor Component is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

SQL Injection

Log Injection via IBM Maximo App Suite Monitor 9.1.0
CVE-2024-35150 5.3 - Medium - January 25, 2025

IBM Maximo Application Suite 8.10.12, 8.11.0, 9.0.1, and 9.1.0 - Monitor Component does not neutralize output that is written to logs, which could allow an attacker to inject false log entries.

Improper Output Neutralization for Logs

IBM Maximo Suite XSS in Monitor Component
CVE-2024-35146 5.4 - Medium - November 06, 2024

IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Maximo Monitor 8.109.0 Hard-Coded Crypto Key Disclosure
CVE-2024-38314 5.9 - Medium - October 24, 2024

IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment.

Use of Hard-coded Cryptographic Key

IBM Maximo AppSuite Manage Component 8.109.0 Weak Crypto (CVE202437068)
CVE-2024-37068 7.5 - High - September 07, 2024

IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information using man in the middle techniques.

Use of a Broken or Risky Cryptographic Algorithm

IBM Maximo Asset Mgmt 7.6.1.3, 8.10/8.11 LFA: Local Web Pages Readable
CVE-2024-22333 3.3 - Low - June 13, 2024

IBM Maximo Asset Management 7.6.1.3 and IBM Maximo Application Suite 8.10 and 8.11 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 279973.

Exposure of Resource to Wrong Sphere

IBM Maximo AS 8.10/8.11 Dir Trv via URL
CVE-2024-22328 7.5 - High - April 06, 2024

IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 279950.

IBM Maximo AA XXE before 7.6.1.3
CVE-2024-27266 8.2 - High - March 14, 2024

IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.

XXE

IBM Maximo App Suite: Mobile for EAM 8.10/8.11 Local Info Disclosure
CVE-2023-43043 5.5 - Medium - March 13, 2024

IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: 266875.

Insertion of Sensitive Information into Log File

IBM Maximo URLs Leak Sensitive Data (v8.10-8.11, 7.6.1.3)
CVE-2023-32335 7.5 - High - March 13, 2024

IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.

Use of GET Request Method With Sensitive Query Strings

IBM Maximo App Suite 7.6.1.3 Stored XSS
CVE-2023-38723 6.4 - Medium - March 13, 2024

IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262192.

XSS

SSRF in IBM Maximo Spatial Asset Mgt 8.10
CVE-2023-32337 5.4 - Medium - January 19, 2024

IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 255288.

SSRF

IBM Maximo AMS 7.6.1.3 / MC 8.10-8.11 XSRF Vulnerability
CVE-2023-47718 8.8 - High - January 19, 2024

IBM Maximo Asset Management 7.6.1.3 and Manage Component 8.10 through 8.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 271843.

Session Riding

IBM Maximo AS 8.9/8.10 & AM 7.6.1.2/7.6.1.3 HTML Injection
CVE-2023-32332 5.4 - Medium - September 08, 2023

IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 255072.

XSS

IBM Maximo (7.6.1.2/7.6.1.3) Info Disclosure via URL Parameters
CVE-2023-32334 5.3 - Medium - June 05, 2023

IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8.0 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255074.

IBM Maximo APPS Manage Comp 8.8.0: Cleartext Sensitive Data Exposed
CVE-2023-27861 5.9 - Medium - June 05, 2023

IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208.

Cleartext Transmission of Sensitive Information

IBM Maximo Asset Management <=7.6.1.3 XSS in Web UI (Stored)
CVE-2022-35645 5.4 - Medium - March 02, 2023

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8 and 8.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230958.

XSS

IBM Maximo App Suite 8.8/8.9 Local Info Disclosure
CVE-2022-43923 5.5 - Medium - February 24, 2023

IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.

Insertion of Sensitive Information into Log File

IBM Maximo Asset Mgt 7.6.1.2/3 Info Disclosure via Error Msg
CVE-2022-41734 7.5 - High - February 17, 2023

IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 237587.

Cleartext Storage of Sensitive Information

IBM Maximo 7.6.1.*-8.4 CSV Injection Vulnerability
CVE-2022-35281 8.8 - High - January 09, 2023

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335.

CSV Injection

IBM Maximo Mobile 8.7/8.8 Local Credential Disclosure via Plain Text Storage
CVE-2022-41732 5.5 - Medium - November 28, 2022

IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 237407.

Insufficiently Protected Credentials

IBM Maximo Asset Management 7.6.1.1-7.6.1.2 Info Disclosure via Error Message
CVE-2021-38924 7.5 - High - September 14, 2022

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.

Generation of Error Message Containing Sensitive Information

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection
CVE-2021-29854 7.2 - High - May 03, 2022

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.

Output Sanitization

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting
CVE-2021-29743 5.4 - Medium - August 30, 2021

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 201693.

XSS

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting
CVE-2021-29744 5.4 - Medium - August 27, 2021

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 201694.

XSS