Vulnerabilities > IBM > High

DATE CVE VULNERABILITY TITLE RISK
2016-07-15 CVE-2016-0330 Credentials Management vulnerability in IBM Security Identity Manager Adapter
IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles password creation, which makes it easier for remote attackers to obtain access by leveraging an attack against the password algorithm.
network
low complexity
ibm CWE-255
7.3
2016-07-15 CVE-2015-1977 Information Exposure vulnerability in IBM Tivoli Directory Server
Directory traversal vulnerability in the Web Administration tool in IBM Tivoli Directory Server (ITDS) before 6.1.0.74-ISS-ISDS-IF0074, 6.2.x before 6.2.0.50-ISS-ISDS-IF0050, and 6.3.x before 6.3.0.43-ISS-ISDS-IF0043 and IBM Security Directory Server (ISDS) before 6.3.1.18-ISS-ISDS-IF0018 and 6.4.x before 6.4.0.9-ISS-ISDS-IF0009 allows remote attackers to read arbitrary files via a ..
network
low complexity
ibm CWE-200
7.5
2016-07-08 CVE-2016-2945 Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server 8.5.5.8/8.5.5.9
The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.
network
high complexity
ibm CWE-264
7.5
2016-07-08 CVE-2016-2889 Cross-Site Request Forgery (CSRF) vulnerability in IBM Jazz Reporting Service
Cross-site request forgery (CSRF) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016, 6.0 and 6.0.1 before 6.0.1 ifix005, and 6.0.2 before ifix002 allows remote authenticated users to hijack the authentication of arbitrary users.
network
low complexity
ibm CWE-352
8.8
2016-07-08 CVE-2016-0315 Improper Access Control vulnerability in IBM Jazz Reporting Service
The Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 maintain session ID validity after a logout action, which allows remote authenticated users to hijack sessions by leveraging an unattended workstation.
network
low complexity
ibm CWE-284
8.8
2016-07-08 CVE-2016-0287 7PK - Security Features vulnerability in IBM I Access 7.1
IBM i Access 7.1 on Windows allows local users to discover registry passwords via unspecified vectors.
local
low complexity
ibm CWE-254
7.8
2016-07-08 CVE-2016-0271 Permissions, Privileges, and Access Controls vulnerability in IBM Urbancode Deploy
The agents in IBM UrbanCode Deploy 6.x before 6.0.1.14, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 do not verify a server's identity in a JMS session or an HTTP session, which allows local users to obtain root access to arbitrary agents via unspecified vectors.
local
low complexity
ibm CWE-264
8.2
2016-07-07 CVE-2016-2923 Information Exposure vulnerability in IBM Websphere Application Server
IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
network
low complexity
ibm CWE-200
7.5
2016-07-03 CVE-2016-2863 Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Commerce
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 7.0 Feature Pack 8, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.2 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
network
low complexity
ibm CWE-352
8.0
2016-07-02 CVE-2016-3956 Information Exposure vulnerability in multiple products
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
network
low complexity
ibm nodejs npmjs CWE-200
7.5