| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cross-site scripting (XSS) vulnerability in the web server in IBM Domino 8.5.x before 8.5.3 FP6 IF8 and 9.x before 9.0.1 FP4, when Webmail is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYH9WYPR5. |
| Directory traversal vulnerability in the Web Administration tool in IBM Tivoli Directory Server (ITDS) before 6.1.0.74-ISS-ISDS-IF0074, 6.2.x before 6.2.0.50-ISS-ISDS-IF0050, and 6.3.x before 6.3.0.43-ISS-ISDS-IF0043 and IBM Security Directory Server (ISDS) before 6.3.1.18-ISS-ISDS-IF0018 and 6.4.x before 6.4.0.9-ISS-ISDS-IF0009 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. |
| Unspecified vulnerability in Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF8 and 5.x before 5.0.2 IF10; Rational Quality Manager (RQM) 2.x and 3.x before 3.0.1.6 IF7, 4.x before 4.0.7 IF8, and 5.x before 5.0.2 IF10; Rational Team Concert (RTC) 2.x and 3.x before 3.0.1.6 IF7, 4.x before 4.0.7 IF8, and 5.x before 5.0.2 IF10; Rational Requirements Composer (RRC) 2.x and 3.x before 3.0.1.6 IF7 and 4.0 through 4.0.7; Rational DOORS Next Generation (RDNG) 4.x before 4.0.7 IF8 and 5.x before 5.0.2 IF10; Rational Engineering Lifecycle Manager (RELM) 1.0 through 1.0.0.1, 4.0.3 through 4.0.7, and 5.0 through 5.0.2; Rational Rhapsody Design Manager (DM) 3.0 through 3.0.1, 4.0 through 4.0.7, 5.0 through 5.0.2, and 6.0; and Rational Software Architect Design Manager (DM) 3.0 through 3.0.1, 4.0 through 4.0.7, and 5.0 through 5.0.2 allows remote attackers to cause a denial of service via unknown vectors. |
| Cross-site scripting (XSS) vulnerability in IBM Tivoli Common Reporting (TCR) 2.1 before IF13 and 2.1.1 before IF21, and TCR 3.1.x as used in Cognos Business Intelligence before 10.2 IF0015 and other products, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
| Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafted URL, related to the (1) ERROR_DESCRIPTION and (2) TOKEN:RelayState macros. |
| Stack-based buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors, a different vulnerability than CVE-2015-1924, CVE-2015-1925, CVE-2015-1929, CVE-2015-1930, CVE-2015-1948, CVE-2015-1953, CVE-2015-1954, CVE-2015-1962, CVE-2015-1963, and CVE-2015-1965. |
| Stack-based buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors, a different vulnerability than CVE-2015-1924, CVE-2015-1925, CVE-2015-1929, CVE-2015-1930, CVE-2015-1948, CVE-2015-1953, CVE-2015-1954, CVE-2015-1963, CVE-2015-1964, and CVE-2015-1965. |
| The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via an unspecified API call. |
| Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF17 and 8.5.0 before CF06 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
| IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017. |
| IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX002, and 7.6.0 before 7.6.0.1 IFIX001; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX002 and 7.6.0 before 7.6.0.1 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly encrypt passwords, which makes it easier for context-dependent attackers to determine cleartext passwords by leveraging access to a password file. |
| IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.1 IFIX001; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX001 and 7.6.0 before 7.6.0.1 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not have an off autocomplete attribute for the password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. |
| Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF11, and 6.x before 6.0.0 IF4; Rational Quality Manager (RQM) 3.x before 3.0.1.6 IF7, 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF11, and 6.0 before 6.0.0 IF4; Rational Team Concert (RTC) 3.x before 3.0.1.6 IF7, 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF11, and 6.0 before 6.0.0 IF4; Rational Requirements Composer (RRC) 3.x before 3.0.1.6 IF7 and 4.x before 4.0.7 IF9; Rational DOORS Next Generation (RDNG) 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF11, and 6.0 before 6.0.0 IF4; Rational Engineering Lifecycle Manager (RELM) 4.0.3 through 4.0.7, 5.0 through 5.0.2, and 6.0.0; Rational Rhapsody Design Manager (DM) 4.0 through 4.0.7, 5.0 through 5.0.2, and 6.0.0; and Rational Software Architect Design Manager (DM) 4.0 through 4.0.7, 5.0 through 5.0.2, and 6.0.0 allows remote authenticated users to conduct clickjacking attacks via a crafted web site. |
| Stack-based buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors, a different vulnerability than CVE-2015-1925, CVE-2015-1929, CVE-2015-1930, CVE-2015-1948, CVE-2015-1953, CVE-2015-1954, CVE-2015-1962, CVE-2015-1963, CVE-2015-1964, and CVE-2015-1965. |
| Open redirect vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF17 and 8.5.0 before CF06 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. |
| Cross-site scripting (XSS) vulnerability in Sterling Order Management 8.5 before HF113, Sterling Selling and Fulfillment Foundation 9.0.0 before FP92, and Sterling Field Sales (SFS) 9.0 before HF7 in IBM Sterling Selling and Fulfillment Suite allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
| IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0, when external Enterprise Content Management (ECM) integration is enabled with a certain technical system account configuration, allows remote authenticated users to bypass intended document-access restrictions via a (1) upload or (2) download action. |
| The Big SQL component in IBM InfoSphere BigInsights 3.0 through 3.0.0.2 allows remote authenticated users to bypass intended HDFS data-access restrictions via (1) a crafted CREATE HADOOP TABLE statement referencing the data of an arbitrary user or (2) an import of a certain Hive table definition with the HCAT_SYNC_OBJECTS procedure. |
| Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic. |
| The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
