Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-35895

Summary
Assigner-ibm
Assigner Org ID-9a959283-ebb5-44b6-b705-dcc2bbced522
Published At-20 Dec, 2023 | 14:18
Updated At-02 Aug, 2024 | 16:37
Rejected At-
Credits

IBM Informix JDBC code execution

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 259116.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ibm
Assigner Org ID:9a959283-ebb5-44b6-b705-dcc2bbced522
Published At:20 Dec, 2023 | 14:18
Updated At:02 Aug, 2024 | 16:37
Rejected At:
▼CVE Numbering Authority (CNA)
IBM Informix JDBC code execution

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 259116.

Affected Products
Vendor
IBM CorporationIBM
Product
Informix JDBC
Default Status
unaffected
Versions
Affected
  • 4.10, 4.50
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.ibm.com/support/pages/node/7099762
vendor-advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/259116
vdb-entry
Hyperlink: https://www.ibm.com/support/pages/node/7099762
Resource:
vendor-advisory
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/259116
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.ibm.com/support/pages/node/7099762
vendor-advisory
x_transferred
https://exchange.xforce.ibmcloud.com/vulnerabilities/259116
vdb-entry
x_transferred
Hyperlink: https://www.ibm.com/support/pages/node/7099762
Resource:
vendor-advisory
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/259116
Resource:
vdb-entry
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@us.ibm.com
Published At:20 Dec, 2023 | 15:15
Updated At:28 Dec, 2023 | 20:18

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 259116.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CPE Matches
IBM Corporation
ibm
>>informix_jdbc>>4.10
cpe:2.3:a:ibm:informix_jdbc:4.10:*:*:*:*:*:*:*
IBM Corporation
ibm
>>informix_jdbc>>4.50
cpe:2.3:a:ibm:informix_jdbc:4.50:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Primarynvd@nist.gov
CWE-78Secondarypsirt@us.ibm.com
CWE ID: CWE-74
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-78
Type: Secondary
Source: psirt@us.ibm.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/259116psirt@us.ibm.com
VDB Entry
Vendor Advisory
https://www.ibm.com/support/pages/node/7099762psirt@us.ibm.com
Vendor Advisory
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/259116
Source: psirt@us.ibm.com
Resource:
VDB Entry
Vendor Advisory
Hyperlink: https://www.ibm.com/support/pages/node/7099762
Source: psirt@us.ibm.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

4421Records found
CVE-2014-7169
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-90.11% / 99.57%
||
7 Day CHG+0.50%
Published-25 Sep, 2014 | 01:00
Updated-22 Oct, 2025 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-28||Apply updates per vendor instructions.

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Action-Not Available
Vendor-mageian/aRed Hat, Inc.Check Point Software Technologies Ltd.VMware (Broadcom Inc.)F5, Inc.QNAP Systems, Inc.IBM CorporationGNUNovellSUSEopenSUSECitrix (Cloud Software Group, Inc.)Canonical Ltd.Apple Inc.Arista Networks, Inc.Oracle CorporationDebian GNU/Linux
Product-storwize_v3700_firmwareqtsbig-ip_global_traffic_managerqradar_vulnerability_managerenterprise_linux_serverstudio_onsitestorwize_v7000_firmwareubuntu_linuxarx_firmwaresecurity_access_manager_for_mobile_8.0_firmwarestn6800storwize_v5000storwize_v3500enterprise_managerzenworks_configuration_managementstn7800_firmwarebig-ip_local_traffic_managervirtualizationdebian_linuxarxqradar_security_information_and_event_managersecurity_access_manager_for_web_8.0_firmwaresmartcloud_entry_applianceenterprise_linux_for_power_big_endianstorwize_v3700infosphere_guardium_database_activity_monitoringeosbashbig-ip_wan_optimization_managerpureapplication_systemnetscaler_sdxenterprise_linuxesxenterprise_linux_eusworkload_deployerbig-ip_advanced_firewall_managerenterprise_linux_for_power_big_endian_eusnetscaler_sdx_firmwareflex_system_v7000big-ip_edge_gatewayenterprise_linux_for_scientific_computingstn6500_firmwaretraffix_signaling_delivery_controllerenterprise_linux_workstationstarter_kit_for_cloudqradar_risk_managerenterprise_linux_for_ibm_z_systemsopen_enterprise_serversan_volume_controller_firmwareenterprise_linux_desktoplinux_enterprise_desktoplinux_enterprise_software_development_kitenterprise_linux_server_from_rhuistorwize_v3500_firmwaremac_os_xvcenter_server_appliancebig-ip_access_policy_managerbig-ip_protocol_security_modulestn7800mageiastn6500big-ip_application_security_managersoftware_defined_network_for_virtual_environmentsbig-iq_cloudbig-ip_application_acceleration_managersecurity_access_manager_for_web_7.0_firmwarelinuxstorwize_v5000_firmwarebig-iq_devicebig-iq_securitystn6800_firmwaresecurity_gatewayopensusesmartcloud_provisioningbig-ip_policy_enforcement_managergluster_storage_server_for_on-premisestorwize_v7000big-ip_webacceleratorbig-ip_analyticsflex_system_v7000_firmwareenterprise_linux_server_aussan_volume_controllerbig-ip_link_controllerenterprise_linux_server_tuslinux_enterprise_servern/aBourne-Again Shell (Bash)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-31767
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.95% / 83.12%
||
7 Day CHG~0.00%
Published-24 Jun, 2022 | 15:35
Updated-16 Sep, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM CICS TX Standard and Advanced 11.1 could allow a remote attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 227980.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-linux_kernelcics_txCICS TX AdvancedCICS TX Standard
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-49803
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.20% / 41.53%
||
7 Day CHG~0.00%
Published-29 Nov, 2024 | 16:50
Updated-29 Jan, 2025 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Access Appliance command execution

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_accessSecurity Verify Access
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20509
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-7||HIGH
EPSS-0.76% / 72.86%
||
7 Day CHG~0.00%
Published-12 Aug, 2021 | 16:05
Updated-17 Sep, 2024 | 03:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Maximo Asset Management 7.6.0 and 7.6.1 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 198243.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_asset_managementMaximo Asset Management
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2020-7621
Matching Score-10
Assigner-Snyk
ShareView Details
Matching Score-10
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.74% / 82.17%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 20:49
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.

Action-Not Available
Vendor-n/aIBM Corporation
Product-strongloop_nginx_controllerstrong-nginx-controller
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4469
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-24.34% / 95.96%
||
7 Day CHG~0.00%
Published-15 Jun, 2020 | 13:25
Updated-16 Sep, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. This vulnerability is due to an incomplete fix for CVE-2020-4211. IBM X-Force ID: 181724.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_protect_plusSpectrum Protect Plus
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4211
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-48.54% / 97.66%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 15:35
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-spectrum_protectlinux_kernelSpectrum Protect Plus
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4210
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-28.95% / 96.44%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 15:35
Updated-16 Sep, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175020.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-spectrum_protectlinux_kernelSpectrum Protect Plus
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4222
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-28.95% / 96.44%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 15:35
Updated-17 Sep, 2024 | 00:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175091.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_protectSpectrum Protect Plus
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-36531
Matching Score-10
Assigner-VulDB
ShareView Details
Matching Score-10
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.44% / 62.89%
||
7 Day CHG~0.00%
Published-03 Jun, 2022 | 19:10
Updated-15 Apr, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SevOne Network Management System Device Manager Page injection

A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely.

Action-Not Available
Vendor-SevOneIBM Corporation
Product-sevone_network_performance_managementNetwork Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-22319
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-89.00% / 99.51%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 02:14
Updated-01 Aug, 2024 | 22:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Operational Decision Manager JDNI injection

IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1 and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.

Action-Not Available
Vendor-IBM Corporation
Product-operational_decision_managerOperational Decision Manageroperational_decision_manager
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2014-6271
Matching Score-10
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-10
Assigner-Debian GNU/Linux
CVSS Score-9.8||CRITICAL
EPSS-94.22% / 99.92%
||
7 Day CHG~0.00%
Published-24 Sep, 2014 | 18:00
Updated-22 Oct, 2025 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-28||Apply updates per vendor instructions.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Action-Not Available
Vendor-mageian/aRed Hat, Inc.Check Point Software Technologies Ltd.VMware (Broadcom Inc.)F5, Inc.QNAP Systems, Inc.IBM CorporationGNUNovellSUSEopenSUSECitrix (Cloud Software Group, Inc.)Canonical Ltd.Apple Inc.Arista Networks, Inc.Oracle CorporationDebian GNU/Linux
Product-storwize_v3700_firmwareqtsbig-ip_global_traffic_managerqradar_vulnerability_managerenterprise_linux_serverstudio_onsitestorwize_v7000_firmwareubuntu_linuxarx_firmwaresecurity_access_manager_for_mobile_8.0_firmwarestn6800storwize_v5000storwize_v3500enterprise_managerzenworks_configuration_managementstn7800_firmwarebig-ip_local_traffic_managervirtualizationdebian_linuxarxqradar_security_information_and_event_managersecurity_access_manager_for_web_8.0_firmwaresmartcloud_entry_applianceenterprise_linux_for_power_big_endianstorwize_v3700infosphere_guardium_database_activity_monitoringeosbashbig-ip_wan_optimization_managerpureapplication_systemnetscaler_sdxenterprise_linuxesxenterprise_linux_eusworkload_deployerbig-ip_advanced_firewall_managerenterprise_linux_for_power_big_endian_eusnetscaler_sdx_firmwareflex_system_v7000big-ip_edge_gatewayenterprise_linux_for_scientific_computingstn6500_firmwaretraffix_signaling_delivery_controllerenterprise_linux_workstationstarter_kit_for_cloudqradar_risk_managerenterprise_linux_for_ibm_z_systemsopen_enterprise_serversan_volume_controller_firmwareenterprise_linux_desktoplinux_enterprise_desktoplinux_enterprise_software_development_kitenterprise_linux_server_from_rhuistorwize_v3500_firmwaremac_os_xvcenter_server_appliancebig-ip_access_policy_managerbig-ip_protocol_security_modulestn7800mageiastn6500big-ip_application_security_managersoftware_defined_network_for_virtual_environmentsbig-iq_cloudbig-ip_application_acceleration_managersecurity_access_manager_for_web_7.0_firmwarelinuxstorwize_v5000_firmwarebig-iq_devicebig-iq_securitystn6800_firmwaresecurity_gatewayopensusesmartcloud_provisioningbig-ip_policy_enforcement_managergluster_storage_server_for_on-premisestorwize_v7000big-ip_webacceleratorbig-ip_analyticsflex_system_v7000_firmwareenterprise_linux_server_aussan_volume_controllerbig-ip_link_controllerenterprise_linux_server_tuslinux_enterprise_servern/aBourne-Again Shell (Bash)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-39065
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-4.19% / 88.46%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 17:55
Updated-16 Sep, 2024 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . A remote attacker could inject arbitrary shell commands which would be executed on the affected system. IBM X-Force ID: 214958.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-spectrum_copy_data_managementlinux_kernelSpectrum Copy Data Management
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4213
Matching Score-10
Assigner-IBM Corporation
ShareView Details
Matching Score-10
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-28.95% / 96.44%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 15:35
Updated-17 Sep, 2024 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175024.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_protectSpectrum Protect Plus
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-13375
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 22.11%
||
7 Day CHG+0.02%
Published-04 Feb, 2026 | 20:31
Updated-06 Feb, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Common Cryptographic Architecture Arbitrary Command Execution

IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system.

Action-Not Available
Vendor-IBM Corporation
Product-Common Cryptographic ArchitectureIBM 4769 Developers Toolkit
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2022-35280
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.21% / 42.49%
||
7 Day CHG~0.00%
Published-10 Aug, 2022 | 16:50
Updated-17 Sep, 2024 | 02:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-windowsrobotic_process_automation_for_cloud_pakRobotic Process Automation
CWE ID-CWE-521
Weak Password Requirements
CVE-2019-4521
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-7||HIGH
EPSS-1.04% / 77.05%
||
7 Day CHG~0.00%
Published-10 Dec, 2019 | 16:10
Updated-17 Sep, 2024 | 00:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_systemCloud Pak System
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2015-7450
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.49% / 99.81%
||
7 Day CHG~0.00%
Published-02 Jan, 2016 | 21:00
Updated-22 Oct, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-10||Apply updates per vendor instructions.

Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.

Action-Not Available
Vendor-n/aIBM Corporation
Product-websphere_application_serverwatson_explorer_annotation_administration_consolewatson_explorer_analytical_componentswatson_content_analyticssterling_integratorsterling_b2b_integratortivoli_common_reportingn/aWebSphere Application Server and Server Hypervisor Edition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-29772
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.6||MEDIUM
EPSS-0.25% / 47.91%
||
7 Day CHG~0.00%
Published-26 Aug, 2021 | 19:25
Updated-17 Sep, 2024 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. IBM X-Force ID: 202774.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-45651
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.13% / 32.96%
||
7 Day CHG+0.09%
Published-18 Apr, 2025 | 11:04
Updated-01 Sep, 2025 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling Connect:Direct Web Services session fixation

IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.

Action-Not Available
Vendor-Microsoft CorporationIBM CorporationLinux Kernel Organization, Inc
Product-sterling_connect_direct_web_serviceslinux_kernelaixwindowsSterling Connect:Direct Web Services
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2024-52360
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-7.6||HIGH
EPSS-0.10% / 26.74%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 19:31
Updated-18 Jul, 2025 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Concert Software SQL injection

IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

Action-Not Available
Vendor-IBM Corporation
Product-concertConcert Software
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-29903
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.36% / 57.53%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 17:10
Updated-16 Sep, 2024 | 23:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Sterling B2B Integrator Standard Edition 5.2.6.0 through 6.1.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 207506.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-6087
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.43% / 80.36%
||
7 Day CHG~0.00%
Published-07 Jun, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Domino 8.5 and 9.0 could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation. IBM X-Force ID: 117918.

Action-Not Available
Vendor-IBM Corporation
Product-dominoDomino
CWE ID-CWE-20
Improper Input Validation
CVE-2024-49808
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.13% / 32.96%
||
7 Day CHG+0.09%
Published-18 Apr, 2025 | 11:03
Updated-01 Sep, 2025 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling Connect:Direct Web Services improper authorization

IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions.

Action-Not Available
Vendor-Microsoft CorporationIBM CorporationLinux Kernel Organization, Inc
Product-sterling_connect_direct_web_serviceslinux_kernelaixwindowsSterling Connect:Direct Web Services
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-49825
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.15% / 35.76%
||
7 Day CHG+0.10%
Published-14 Apr, 2025 | 14:53
Updated-01 Sep, 2025 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Robotic Process Automation session fixation

IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Action-Not Available
Vendor-IBM Corporation
Product-robotic_process_automationrobotic_process_automation_for_cloud_pakRobotic Process Automation for Cloud PakRobotic Process Automation
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2024-49805
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.4||CRITICAL
EPSS-0.04% / 12.34%
||
7 Day CHG~0.00%
Published-29 Nov, 2024 | 16:52
Updated-29 Jan, 2025 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Access Appliance hard coded credentials

IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_accessSecurity Verify Access
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-29781
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.05% / 88.25%
||
7 Day CHG~0.00%
Published-30 Jul, 2021 | 11:15
Updated-17 Sep, 2024 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 203091.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-partner_engagement_managerlinux_kernelPartner Engagement Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-34331
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.19% / 41.03%
||
7 Day CHG~0.00%
Published-11 Nov, 2022 | 17:45
Updated-01 May, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Power FW security bypass

After performing a sequence of Power FW950, FW1010 maintenance operations a SRIOV network adapter can be improperly configured leading to desired VEPA configuration being disabled. IBM X-Force ID: 229695.

Action-Not Available
Vendor-IBM Corporation
Product-powervm_hypervisorPower FW
CWE ID-CWE-287
Improper Authentication
CVE-2021-29908
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.61% / 69.12%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 17:50
Updated-16 Sep, 2024 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The IBM TS7700 Management Interface is vulnerable to unauthenticated access. By accessing a specially-crafted URL, an attacker may gain administrative access to the Management Interface without authentication. IBM X-Force ID: 207747.

Action-Not Available
Vendor-IBM Corporation
Product-ts7700_firmwarets7700Virtualization Engine TS7700 3957-VEDVirtualization Engine TS7700 3957-VEC
CVE-2024-45656
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.08%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 00:37
Updated-03 Dec, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Flexible Service Processor hard coded credentials

IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.

Action-Not Available
Vendor-IBM Corporation
Product-power_system_s914_\(9009-41g\)_firmwareess_5000_\(5105-22e\)power_system_s812_\(8284-21a\)_firmwarepower_system_e950_\(9040-mr9\)_firmwarepower_system_e880c_\(9080-mhe\)_firmwarepower_system_e880_\(9119-mhe\)power_system_s914_\(9009-41g\)power_system_s924_\(9009-42a\)power_system_s922_\(9009-22a\)_firmwarepower_system_h922_\(9223-22h\)power_system_s822l_\(8247-22l\)power_system_s922_\(9009-22g\)_firmwarepower_system_l922_\(9008-22l\)ess_5000_\(5105-22e\)_firmwarepower_system_s812l_\(8247-21l\)_firmwarepower_system_l922_\(9008-22l\)_firmwarepower_system_h924_\(9223-42h\)_firmwarepower_system_e950_\(9040-mr9\)power_system_s824_\(8286-42a\)_firmwarepower_system_h924_\(9223-42s\)power_system_h922_\(9223-22s\)_firmwarepower_system_e1080_\(9080-hex\)_firmwarepower_system_s822_\(8284-22a\)_firmwarepower_system_s824_\(8286-42a\)power_system_e870c_\(9080-mme\)power_system_e850c_\(8408-44e\)_firmwarepower_system_h924_\(9223-42s\)_firmwarepower_system_s914_\(9009-41a\)_firmwarepower_system_e850_\(8408-e8e\)power_system_s914_\(9009-41a\)power_system_s922_\(9009-22a\)power_system_h924_\(9223-42h\)power_system_s822_\(8284-22a\)power_system_s824l_\(8247-42l\)power_system_e880c_\(9080-mhe\)power_system_e850_\(8408-e8e\)_firmwarepower_system_e870_\(9119-mme\)_firmwarepower_system_s824l_\(8247-42l\)_firmwarepower_system_e1080_\(9080-hex\)power_system_s922_\(9009-22g\)power_system_s924_\(9009-42g\)_firmwarepower_system_s822l_\(8247-22l\)_firmwarepower_system_h922_\(9223-22s\)power_system_s814_\(8286-41a\)_firmwarepower_system_s812l_\(8247-21l\)power_system_e980_\(9080-m9s\)_firmwarepower_system_s924_\(9009-42g\)power_system_e850c_\(8408-44e\)power_system_e880_\(9119-mhe\)_firmwarepower_system_e980_\(9080-m9s\)power_system_e870c_\(9080-mme\)_firmwarepower_system_e870_\(9119-mme\)power_system_s814_\(8286-41a\)power_system_s924_\(9009-42a\)_firmwarepower_system_s812_\(8284-21a\)power_system_h922_\(9223-22h\)_firmwareFlexible Service Processor
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-43181
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 21:18
Updated-05 Feb, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Vulnerabilities in IBM Concert Software

IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Action-Not Available
Vendor-IBM Corporation
Product-Concert
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2024-43177
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 21.99%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 14:52
Updated-25 Oct, 2024 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Concert improper certificate validation

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.

Action-Not Available
Vendor-IBM Corporation
Product-concertConcert
CWE ID-CWE-295
Improper Certificate Validation
CVE-2022-33162
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-7.3||HIGH
EPSS-0.12% / 31.79%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 18:33
Updated-07 Sep, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Directory Server buffer overflow

IBM Security Directory Integrator 7.2.0 and Security Verify Directory Integrator 10.0.0 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources, at the privilege level of a standard unprivileged user. IBM X-Force ID: 228570.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_directory_integratorsecurity_directory_integratorSecurity Directory IntegratorSecurity Verify Directory Integrator
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2022-31768
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.70%
||
7 Day CHG~0.00%
Published-06 Jun, 2022 | 16:20
Updated-16 Sep, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

Action-Not Available
Vendor-IBM Corporation
Product-infosphere_information_serverInfoSphere Information Server
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-40691
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-8||HIGH
EPSS-0.08% / 23.81%
||
7 Day CHG~0.00%
Published-03 Dec, 2024 | 16:41
Updated-11 Dec, 2024 | 03:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cognos Controller file upload

IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.

Action-Not Available
Vendor-IBM Corporation
Product-cognos_controllerCognos Controller
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2016-6090
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.01% / 76.67%
||
7 Day CHG~0.00%
Published-01 Feb, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Commerce contains an unspecified vulnerability that could allow disclosure of user personal data, performing of unauthorized administrative operations, and potentially causing a denial of service.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_commerceWebSphere Commerce Enterprise
CVE-2013-3323
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 66.86%
||
7 Day CHG~0.00%
Published-18 Feb, 2020 | 16:03
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a malicious user obtain unauthorized access.

Action-Not Available
Vendor-n/aIBM Corporation
Product-maximo_for_transportationmaximo_for_life_sciencesmaximo_asset_managementmaximo_for_governmentmaximo_service_deskmaximo_asset_management_essentialsmaximo_for_oil_and_gastivoli_asset_management_for_ittivoli_service_request_managermaximo_for_utilitieschange_and_configuration_management_databasemaximo_for_nuclear_powersmartcloud_control_deskn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-39736
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 37.98%
||
7 Day CHG~0.00%
Published-15 Jul, 2024 | 01:28
Updated-02 Aug, 2024 | 04:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Datacap Navigator HTTP HOST header injection

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 296003.

Action-Not Available
Vendor-IBM Corporation
Product-datacapdatacap_navigatorDatacap Navigator
CWE ID-CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2024-39742
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-0.03% / 9.45%
||
7 Day CHG~0.00%
Published-08 Jul, 2024 | 13:16
Updated-07 Aug, 2024 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM MQ Container authentication bypass

IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 could allow a user to bypass authentication under certain configurations due to a partial string comparison vulnerability. IBM X-Force ID: 297169.

Action-Not Available
Vendor-IBM Corporation
Product-mq_operatorMQ Operatormq_operator
CWE ID-CWE-187
Partial String Comparison
CWE ID-CWE-697
Incorrect Comparison
CVE-2024-25019
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 22.09%
||
7 Day CHG~0.00%
Published-03 Dec, 2024 | 16:29
Updated-11 Dec, 2024 | 03:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cognos Controller file upload

IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.

Action-Not Available
Vendor-IBM Corporation
Product-cognos_controllerCognos Controller
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-39727
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 27.93%
||
7 Day CHG~0.00%
Published-25 Dec, 2024 | 13:59
Updated-10 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Engineering Lifecycle Optimization - Engineering Insights tabnabbing

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims’ web browser.

Action-Not Available
Vendor-IBM Corporation
Product-engineering_lifecycle_optimization_-_engineering_insightsEngineering Insights
CWE ID-CWE-1022
Use of Web Link to Untrusted Target with window.opener Access
CVE-2024-39747
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-0.08% / 23.88%
||
7 Day CHG~0.00%
Published-31 Aug, 2024 | 01:01
Updated-16 Sep, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling Connect:Direct Web Services information disclosure

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses default credentials for potentially critical functionality.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-aixsterling_connect_direct_web_serviceswindowslinux_kernelSterling Connect:Direct Web Services
CWE ID-CWE-1392
Use of Default Credentials
CVE-2024-38327
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.03% / 7.99%
||
7 Day CHG-0.00%
Published-10 Jul, 2025 | 14:14
Updated-18 Aug, 2025 | 01:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Analytics Content Hub information disclosure

IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API.

Action-Not Available
Vendor-IBM Corporation
Product-analytics_content_hubAnalytics Content Hub
CWE ID-CWE-540
Inclusion of Sensitive Information in Source Code
CVE-2023-50940
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.84%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 01:05
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM PowerSC cross-resource origin sharing

IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.

Action-Not Available
Vendor-IBM Corporation
Product-powerscPowerSCpowersc
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CWE ID-CWE-697
Incorrect Comparison
CVE-2023-50316
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 18.58%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 00:22
Updated-28 Jan, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator information disclosure

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

Action-Not Available
Vendor-IBM Corporation
Product-Sterling B2B Integrator
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-49886
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 79.01%
||
7 Day CHG~0.00%
Published-06 Oct, 2025 | 14:47
Updated-16 Oct, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Transformation Extender Advanced code execution

IBM Standards Processing Engine 10.0.1.10 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe java deserialization. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Action-Not Available
Vendor-IBM Corporation
Product-transformation_extender_advancedTransformation Extender Advanced
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-50936
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 10.55%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 01:03
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM PowerSC session fixation

IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.

Action-Not Available
Vendor-IBM Corporation
Product-powerscPowerSC
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2023-47143
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-10||CRITICAL
EPSS-0.10% / 28.48%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 13:03
Updated-02 Aug, 2024 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Tivoli Application Dependency Discovery Manager HOST header injection

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 270270.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_application_dependency_discovery_managerTivoli Application Dependency Discovery Manager
CWE ID-CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2023-43040
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-10.17% / 92.95%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 02:18
Updated-04 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Spectrum Fusion HCI improper access control

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.

Action-Not Available
Vendor-IBM Corporation
Product-storage_fusion_hciSpectrum Fusion HCIspectrum_fusion_hci
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2003-5001
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.78%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 20:45
Updated-08 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ISS BlackICE PC Protection Cross Site Scripting Detection privileges management

A vulnerability was found in ISS BlackICE PC Protection and classified as critical. Affected by this issue is the component Cross Site Scripting Detection. The manipulation as part of POST/PUT/DELETE/OPTIONS Request leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-ISSIBM Corporation
Product-iss_blackice_pc_protectionBlackICE PC Protection
CWE ID-CWE-269
Improper Privilege Management
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 88
  • 89
  • Next
Details not found