Vulnerabilities > IBM > Medium

DATE CVE VULNERABILITY TITLE RISK
2010-12-30 CVE-2010-4622 Path Traversal vulnerability in IBM Tivoli Access Manager for E-Business 6.1.1
Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 6.1.1 before 6.1.1-TIV-AWS-FP0001 on AIX allows remote attackers to read arbitrary files via a %uff0e%uff0e (encoded dot dot) in a URI.
network
low complexity
ibm CWE-22
5.0
2010-12-29 CVE-2010-4603 Unspecified vulnerability in IBM Rational Clearquest
IBM Rational ClearQuest 7.0.x before 7.0.1.11, 7.1.1.x before 7.1.1.4, and 7.1.2.x before 7.1.2.1 does not prevent modification of back-reference fields, which allows remote authenticated users to interfere with intended record relationships, and possibly cause a denial of service (loop) or have unspecified other impact, by (1) adding or (2) removing a back reference.
network
low complexity
ibm
6.5
2010-12-29 CVE-2010-4602 Permissions, Privileges, and Access Controls vulnerability in IBM Rational Clearquest
The Web client in IBM Rational ClearQuest 7.1.1.x before 7.1.1.4 and 7.1.2.x before 7.1.2.1 allows remote authenticated users to bypass "restricted user" limitations, and read arbitrary records, via a modified record number in the URL for a RECORD action, as demonstrated by a modified bookmark.
network
low complexity
ibm CWE-264
4.0
2010-12-29 CVE-2010-4600 Information Exposure vulnerability in multiple products
Dojo Toolkit, as used in the Web client in IBM Rational ClearQuest 7.1.1.x before 7.1.1.4 and 7.1.2.x before 7.1.2.1, allows remote attackers to read cookies by navigating to a Dojo file, related to an "open direct" issue.
network
low complexity
dojofoundation ibm CWE-200
5.0
2010-12-22 CVE-2010-4595 Permissions, Privileges, and Access Controls vulnerability in IBM Lotus Mobile Connect
The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 disables the http.device.stanza blacklisting functionality for HTTP Access Services (HTTP-AS), which allows remote attackers to bypass intended access restrictions via an HTTP request that contains a disallowed User-Agent header.
network
low complexity
ibm CWE-264
5.0
2010-12-22 CVE-2010-4594 Resource Management Errors vulnerability in IBM Lotus Mobile Connect
The Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly process TCP connection requests, which allows remote attackers to cause a denial of service (memory consumption and HTTP-AS hang) by making many connection requests that trigger "queue size delta errors," related to a "timing hole" issue.
network
ibm CWE-399
4.3
2010-12-22 CVE-2010-4593 Resource Management Errors vulnerability in IBM Lotus Mobile Connect
The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 does not properly maintain a certain reference count, which allows remote authenticated users to cause a denial of service (IP address exhaustion) by making invalid attempts to establish sessions with the same VPN ID from multiple devices.
network
low complexity
ibm CWE-399
4.0
2010-12-22 CVE-2010-4592 Resource Management Errors vulnerability in IBM Lotus Mobile Connect
The Mobile Network Connections functionality in the Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly handle failed attempts at establishing HTTP-TCP sessions, which allows remote attackers to cause a denial of service (memory consumption and daemon crash) by making many TCP connection attempts.
network
ibm CWE-399
4.3
2010-12-22 CVE-2010-4591 Improper Authentication vulnerability in IBM Lotus Mobile Connect
The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.
local
ibm CWE-287
4.4
2010-12-22 CVE-2010-4590 Cross-Site Scripting vulnerability in IBM Lotus Mobile Connect
Cross-site scripting (XSS) vulnerability in HTTP Access Services (HTTP-AS) in the Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
ibm CWE-79
4.3