IBM Planning Analytics Local

IBM Planning Analytics Local 2.1.15 leaks server architecture info
CVE-2025-36437 4.3 - Medium - December 09, 2025

IBM Planning Analytics Local 2.1.0 - 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system.

Generation of Error Message Containing Sensitive Information

IBM Planning Analytics 2.1.02.1.14 Source Code Sensitive Data Leak
CVE-2025-36299 4.3 - Medium - November 17, 2025

IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system.

Inclusion of Sensitive Information in Source Code

IBM Planning Analytics Local 2.1.0-2.1.14 Dir-Trav via URL (Auth)
CVE-2025-36357 8 - High - November 17, 2025

IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system.

Absolute Path Traversal

IBM Planning Analytics Local 2.0.0-2.0.106/2.1.0-2.1.13 Input Validation Priv Esc
CVE-2025-36262 4.9 - Medium - September 30, 2025

IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information due to the improper validation of input.

Improper Validation of Syntactic Correctness of Input

XSS Vulnerability in IBM Planning Analytics Web UI 2.0.02.1.13
CVE-2025-36132 5.4 - Medium - September 30, 2025

IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Planning Analytics 2.0-2.1 Authenticated XSS in Web UI
CVE-2025-25044 5.4 - Medium - June 01, 2025

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Planning Analytics Local XSS (v2.0/2.1) – UI Tampering, Credentials Leak
CVE-2025-2896 5.4 - Medium - June 01, 2025

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Planning Analytics 2.0/2.1 Local Privileged Pathname Deletion
CVE-2025-33004 6.5 - Medium - June 01, 2025

IBM Planning Analytics Local 2.0 and 2.1 could allow a privileged user to delete files from directories due to improper pathname restriction.

Directory traversal

IBM Planning Analytics 2.0/2.1 Session Hijack: Logout Fails to Invalidate
CVE-2025-33005 8.8 - High - June 01, 2025

IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Insufficient Session Expiration

IBM Planning Analytics 2.0/2.1 MongoDB Unauth Access Vulnerability
CVE-2024-35143 9.1 - Critical - August 04, 2024

IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 292420.

Missing Authentication for Critical Function

XSS Vulnerability in IBM Planning Analytics Local 2.0/2.1 Web UI
CVE-2024-31889 5.4 - Medium - May 31, 2024

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 288136.

XSS

IBM Planning Analytics XSS in 2.0/2.1 Web UI
CVE-2024-31907 5.4 - Medium - May 31, 2024

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 289889.

XSS

IBM Planning Analytics 2.0/2.1 Stored XSS in Web UI
CVE-2024-31908 5.4 - Medium - May 31, 2024

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 289890.

XSS

IBM Planning Analytics Local 2.0 RCE via File Upload
CVE-2023-42017 9.8 - Critical - December 22, 2023

IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567.

Unrestricted File Upload

IBM Planning Analytics Local 2.0 - Stored XSS in Web UI (v2.0)
CVE-2023-28520 5.4 - Medium - May 12, 2023

IBM Planning Analytics Local 2.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250454.

XSS

IBM Planning Analytics Local 2.0 could
CVE-2021-29739 4.9 - Medium - August 10, 2021

IBM Planning Analytics Local 2.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. X-Force ID: 198846.

Unchecked Return Value

IBM Planning Analytics Local 2.0 connects to a MongoDB server
CVE-2020-4669 9.1 - Critical - May 17, 2021

IBM Planning Analytics Local 2.0 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 184600.

AuthZ

IBM Planning Analytics Local 2.0 connects to a Redis server
CVE-2020-4670 9.1 - Critical - May 17, 2021

IBM Planning Analytics Local 2.0 connects to a Redis server. The Redis server, an in-memory data structure store, running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server. IBM X-Force ID: 186401.

authentification

IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query
CVE-2020-4985 7.5 - High - May 14, 2021

IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642.

Information Disclosure

IBM Planning Analytics Local 2.0.9.2 and IBM Planning Analytics Workspace 57 could expose data to non-privleged users by not invalidating TM1Web user sessions
CVE-2020-4649 4.3 - Medium - November 03, 2020

IBM Planning Analytics Local 2.0.9.2 and IBM Planning Analytics Workspace 57 could expose data to non-privleged users by not invalidating TM1Web user sessions. IBM X-Force ID: 186022.

Information Disclosure

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cross-site scripting
CVE-2020-4645 5.4 - Medium - July 29, 2020

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 185717.

XSS

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remote attacker to hijack the clicking action of the victim
CVE-2020-4644 5.4 - Medium - July 29, 2020

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 185716.

Improper Input Validation

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting
CVE-2020-4503 6.1 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182283.

XSS

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting
CVE-2020-4431 5.4 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 180761.

XSS

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms
CVE-2020-4367 7.5 - High - June 02, 2020

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 179001.

Use of a Broken or Risky Cryptographic Algorithm

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting
CVE-2020-4366 6.1 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178965.

XSS

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting
CVE-2020-4360 5.4 - Medium - June 02, 2020

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178765.

XSS

IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting
CVE-2020-4306 5.4 - Medium - May 29, 2020

IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176735.

XSS

IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site scripting
CVE-2018-1676 - July 06, 2018

IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145118.