Unspecified vulnerability in the Reference Data Management component in IBM InfoSphere Master Data Management 10.1, 11.0, 11.3 before FP3, and 11.4 allows remote authenticated users to gain privileges via unknown vectors.
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a privilege escalation vulnerability when using the SAML Web Inbound Trust Association Interceptor (TAI). IBM X-Force ID: 202006.
IBM QRadar Suite Software 1.10.12.0 through 1.10.21.0 and IBM Cloud Pak for Security 1.10.12.0 through 1.10.21.0 could allow an authenticated user to execute certain arbitrary commands due to improper input validation. IBM X-Force ID: 272087.
IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 271524.
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695.
IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. IBM X-Force ID: 271341.
IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 201164.
Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to execute arbitrary SQL commands via vectors involving the RNVisibility page and unspecified screens, a different vulnerability than CVE-2013-0560.
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749.
IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
IBM Security Identity Manager 7.0.2 could allow an authenticated user to bypass security and perform actions that they should not have access to. IBM X-Force ID: 200015
The ifx_load_internal function in IBM Informix Dynamic Server (IDS) allows remote authenticated users to execute arbitrary C code via the DllMain or _init function in a library, aka "C code UDR."
Multiple buffer overflows in IBM Informix Dynamic Server (IDS) before 9.40.TC6 and 10.00 before 10.00.TC3 allow remote authenticated users to execute arbitrary code via (1) the getname function, as used by (a) _sq_remview, (b) _sq_remproc, (c) _sq_remperms, (d) _sq_distfetch, and (e) _sq_dcatalog; and the (2) SET DEBUG FILE, (3) IFX_FILE_TO_FILE, (4) FILETOCLOB, (5) LOTOFILE, and (6) DBINFO functions (product defect IDs 171649, 171367, 171387, 171391, 171906, 172179).
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote authenticated users to gain privileges via invalid input.
IBM DB2 Universal Database (UDB) 810 before ESE AIX 5765F4100 does not ensure that a user has execute privileges before permitting object creation based on routines, which allows remote authenticated users to gain privileges.
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Multiple buffer overflows in IBM Rational ClearCase 7.x before 7.1.2.13, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.3 allow remote authenticated users to obtain privileged access via unspecified vectors.
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.
SQL injection vulnerability in the GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0-FP5 and InfoSphere Master Data Management Server for Product Information Management 9.x through 11.x before 11.3-IF2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
The import/export functionality in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 allows remote authenticated users to bypass intended access restrictions via a project action for a (1) process application or (2) toolkit.
Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 allows remote authenticated users to execute arbitrary code via unknown vectors.
IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5iFix10 and 6.0.5 before 6.0.5.6 allows remote authenticated users to load arbitrary Java classes via unspecified vectors.
SQL injection vulnerability in IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors.
IBM WebSphere MQ 8.x before 8.0.0.1 does not properly enforce CHLAUTH rules for blocking client connections in certain circumstances related to the CONNAUTH attribute, which allows remote authenticated users to bypass intended queue-manager access restrictions via unspecified vectors.
Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, and 7.5.0.4 before IFIX011; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 do not properly restrict file types during uploads, which allows remote authenticated users to have an unspecified impact via an invalid type.
SQL injection vulnerability in IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6331.
IBM Security Verify Access Docker 10.0.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 198813
IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.3.3 allows remote authenticated users to gain privileges by leveraging access to the service account.
SQL injection vulnerability in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, and 7.5 before 7.5.0.5 allows remote authenticated users to conduct unspecified file-inclusion attacks via unknown vectors.
IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619.
IBM Power9 Self Boot Engine(SBE) could allow a privileged user to inject malicious code and compromise the integrity of the host firmware bypassing the host firmware signature verification process.
IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435.
IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions. IBM X-Force ID: 196308.
IBM Security Identity Manager Adapters 6.0 and 7.0 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and takeover other accounts. IBM X-Force ID: 199252.
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, and 7.5 before 7.5.0.3 allows remote authenticated users to gain privileges via unspecified vectors.
SQL injection vulnerability in IBM Maximo Asset Management 7.1 before 7.1.1.12 and 7.5 before 7.5.0.5 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Multiple SQL injection vulnerabilities in IBM InfoSphere Information Server 8.x through 8.5 FP3, 8.7.x through 8.7 FP2, and 9.1.x through 9.1.2.0 allow remote authenticated users to execute arbitrary SQL commands via unspecified interfaces.
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text.
IBM Maximo Asset Management 7.1 before 7.1.1.12 and 7.5 before 7.5.0.5 allows remote authenticated users to gain privileges via unspecified vectors.
SQL injection vulnerability in IBM Maximo Asset Management 7.1 before 7.1.1.12 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, and 7.5 before 7.5.0.5 allows remote authenticated users to bypass intended access restrictions via unspecified vectors.
Directory traversal vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote authenticated users to read or modify files via unspecified vectors.
SQL injection vulnerability in the server component in IBM Tivoli Remote Control 5.1.2 before 5.1.2-TIV-TRC512-IF0015 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 134811.
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security when using the Administrative Console. An authenticated remote attacker could exploit this vulnerability to possibly gain elevated privileges.
Unspecified vulnerability in IBM QRadar Security Information and Event Manager (SIEM) 7.x before 7.1 MR2 Patch 1 allows remote authenticated users to execute operating-system commands via unknown vectors.