Vulnerabilities > IBM > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-07-15 CVE-2016-0340 Improper Access Control vulnerability in IBM Security Identity Manager Adapter
IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session expiration, which allows remote attackers to hijack sessions by leveraging an unattended workstation.
local
ibm CWE-284
4.4
2016-07-15 CVE-2016-0339 Improper Access Control vulnerability in IBM Security Identity Manager Adapter
IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session identifiers after logout, which makes it easier for remote attackers to spoof users by leveraging knowledge of "traffic records."
network
ibm CWE-284
4.3
2016-07-15 CVE-2016-0330 Credentials Management vulnerability in IBM Security Identity Manager Adapter
IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles password creation, which makes it easier for remote attackers to obtain access by leveraging an attack against the password algorithm.
network
low complexity
ibm CWE-255
5.0
2016-07-15 CVE-2015-1977 Information Exposure vulnerability in IBM Security Directory Server and Tivoli Directory Server
Directory traversal vulnerability in the Web Administration tool in IBM Tivoli Directory Server (ITDS) before 6.1.0.74-ISS-ISDS-IF0074, 6.2.x before 6.2.0.50-ISS-ISDS-IF0050, and 6.3.x before 6.3.0.43-ISS-ISDS-IF0043 and IBM Security Directory Server (ISDS) before 6.3.1.18-ISS-ISDS-IF0018 and 6.4.x before 6.4.0.9-ISS-ISDS-IF0009 allows remote attackers to read arbitrary files via a ..
network
low complexity
ibm CWE-200
5.0
2016-07-08 CVE-2016-2945 Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server 8.5.5.8/8.5.5.9
The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.
network
ibm CWE-264
6.0
2016-07-08 CVE-2016-2889 Cross-Site Request Forgery (CSRF) vulnerability in IBM Jazz Reporting Service
Cross-site request forgery (CSRF) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016, 6.0 and 6.0.1 before 6.0.1 ifix005, and 6.0.2 before ifix002 allows remote authenticated users to hijack the authentication of arbitrary users.
network
ibm CWE-352
6.8
2016-07-08 CVE-2016-2888 Cross-site Scripting vulnerability in IBM Jazz Reporting Service
Cross-site scripting (XSS) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-0313 and CVE-2016-0350.
network
ibm CWE-79
4.3
2016-07-08 CVE-2016-0315 Improper Access Control vulnerability in IBM Jazz Reporting Service
The Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 maintain session ID validity after a logout action, which allows remote authenticated users to hijack sessions by leveraging an unattended workstation.
network
low complexity
ibm CWE-284
6.5
2016-07-08 CVE-2016-0314 Clickjacking vulnerability in IBM Jazz Reporting Service
The Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 allow remote authenticated users to conduct clickjacking attacks via unspecified vectors.
network
low complexity
ibm
4.0
2016-07-07 CVE-2016-2923 Information Exposure vulnerability in IBM Websphere Application Server
IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
network
low complexity
ibm CWE-200
5.0