Vulnerabilities > IBM > High

DATE CVE VULNERABILITY TITLE RISK
2016-12-01 CVE-2016-3033 XXE vulnerability in IBM Appscan Source
IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
network
low complexity
ibm CWE-611
8.1
2016-12-01 CVE-2016-3012 Information Exposure vulnerability in IBM API Connect and Network Path Manager
IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes certain internal server credentials in the software package, which might allow remote attackers to bypass intended access restrictions by leveraging knowledge of these credentials.
network
low complexity
ibm CWE-200
7.5
2016-12-01 CVE-2016-2946 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM Tivoli Monitoring
Stack-based buffer overflow in the ax Shared Libraries in the Agent in IBM Tivoli Monitoring (ITM) 6.2.2 before FP9, 6.2.3 before FP5, and 6.3.0 before FP2 on Linux and UNIX allows local users to gain privileges via unspecified vectors.
local
low complexity
ibm CWE-119
7.8
2016-11-30 CVE-2016-2917 Permissions, Privileges, and Access Controls vulnerability in IBM Tririga Application Platform 10.4/10.5
The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to obtain sensitive password information, and consequently gain privileges, via unspecified vectors.
network
low complexity
ibm CWE-264
8.8
2016-11-30 CVE-2016-2887 Improper Access Control vulnerability in IBM IMS Enterprise Suite
IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .NET allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
network
low complexity
ibm CWE-284
8.1
2016-11-30 CVE-2016-2884 Cross-Site Request Forgery (CSRF) vulnerability in IBM Forms Experience Builder
Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
network
low complexity
ibm CWE-352
8.0
2016-11-30 CVE-2016-2878 Cross-Site Request Forgery (CSRF) vulnerability in IBM Qradar Security Information and Event Manager
Multiple cross-site request forgery (CSRF) vulnerabilities in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
network
low complexity
ibm CWE-352
8.0
2016-11-30 CVE-2016-2876 OS Command Injection vulnerability in IBM Qradar Security Information and Event Manager
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 executes unspecified processes at an incorrect privilege level, which makes it easier for remote authenticated users to obtain root access by leveraging a command-injection issue.
network
high complexity
ibm CWE-78
7.5
2016-11-30 CVE-2016-2873 SQL Injection vulnerability in IBM Qradar Security Information and Event Manager
SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
ibm CWE-89
8.8
2016-11-30 CVE-2016-2871 Credentials Management vulnerability in IBM Qradar Security Information and Event Manager
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses cleartext storage for unspecified passwords, which allows local users to obtain sensitive information by reading a configuration file.
local
low complexity
ibm CWE-255
7.8