Vulnerabilities > IBM > Medium

DATE CVE VULNERABILITY TITLE RISK
2015-04-27 CVE-2014-6092 Code vulnerability in IBM Curam Social Program Management
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause a denial of service (web-service outage) by making many login attempts with a valid caseworker account name.
network
low complexity
ibm CWE-17
5.0
2015-04-27 CVE-2014-6090 Cross-Site Request Forgery (CSRF) vulnerability in IBM Curam Social Program Management
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix10, and 6.0.5 before 6.0.5.6 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
network
ibm CWE-352
6.8
2015-04-22 CVE-2015-1889 SQL Injection vulnerability in IBM Infosphere Biginsights 3.0.0.0/3.0.0.1/3.0.0.2
The Big SQL component in IBM InfoSphere BigInsights 3.0 through 3.0.0.2 allows remote authenticated users to bypass intended HDFS data-access restrictions via (1) a crafted CREATE HADOOP TABLE statement referencing the data of an arbitrary user or (2) an import of a certain Hive table definition with the HCAT_SYNC_OBJECTS procedure.
network
low complexity
ibm CWE-89
6.5
2015-04-06 CVE-2015-1893 Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Datapower Xc10 Appliance Firmware 2.1.0.0/2.1.0.1/2.1.0.2
The IBM WebSphere DataPower XC10 appliance 2.1 before 2.1.0.3 allows remote attackers to hijack the sessions of arbitrary users, and consequently obtain sensitive information or modify data, via unspecified vectors.
network
ibm CWE-264
6.8
2015-04-01 CVE-2015-1892 Information Exposure vulnerability in IBM products
The Multicast DNS (mDNS) responder in IBM Security Access Manager for Web 7.x before 7.0.0 FP12 and 8.x before 8.0.1 FP1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
network
low complexity
ibm CWE-200
5.0
2015-03-25 CVE-2015-0138 Cryptographic Issues vulnerability in IBM Tivoli Directory Server
GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-ITDS-IF0073, 6.1 before 6.1.0.66-ISS-ITDS-IF0066, 6.2 before 6.2.0.42-ISS-ITDS-IF0042, and 6.3 before 6.3.0.35-ISS-ITDS-IF0035 and IBM Security Directory Server (ISDS) 6.3.1 before 6.3.1.9-ISS-ISDS-IF0009 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
network
ibm CWE-310
4.3
2015-03-25 CVE-2014-8925 Cross-Site Request Forgery (CSRF) vulnerability in IBM Rational Clearquest
Cross-site request forgery (CSRF) vulnerability in ClearQuest Web in IBM Rational ClearQuest 7.1.x before 7.1.2.17, 8.0.0.x before 8.0.0.14, and 8.0.1.x before 8.0.1.7 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout or insert XSS sequences.
network
ibm CWE-352
6.8
2015-03-24 CVE-2015-0199 Resource Management Errors vulnerability in IBM General Parallel File System 3.4/3.5/4.1
The mmfslinux kernel module in IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 before 3.5.0.24, and 4.1 before 4.1.0.7 allows local users to cause a denial of service (memory corruption) via unspecified character-device ioctl calls.
local
low complexity
ibm CWE-399
4.9
2015-03-24 CVE-2015-0158 Cross-site Scripting vulnerability in IBM Business Process Manager
Cross-site scripting (XSS) vulnerability in the Coach NG framework in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
network
ibm CWE-79
4.3
2015-03-24 CVE-2015-0137 Improper Input Validation vulnerability in IBM Powervc
IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 validates Hardware Management Console (HMC) certificates only during the pre-login stage, which allows man-in-the-middle attackers to spoof devices via a crafted certificate.
network
ibm CWE-20
4.3