Vulnerabilities > IBM > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2011-08-15 | CVE-2011-3140 | Permissions, Privileges, and Access Controls vulnerability in IBM products IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server. | 5.0 |
| 2011-08-12 | CVE-2011-3138 | Unspecified vulnerability in IBM products The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. | 5.0 |
| 2011-08-12 | CVE-2009-5083 | Improper Authentication vulnerability in IBM Tivoli Federated Identity Manager 6.2.0/6.2.0.1 IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when configured as an OpenID relying party, does not perform the expected login rejection upon receiving an OP-Identifier from an OpenID provider, which allows remote attackers to bypass authentication via unspecified vectors. | 6.8 |
| 2011-08-12 | CVE-2008-7299 | Improper Input Validation vulnerability in IBM Tivoli Federated Identity Manager 6.2.0/6.2.0.1 IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2 uses an incomplete SAML 1.x browser-artifact, which allows remote OpenID providers to spoof assertions via vectors related to the Issuer field. | 5.0 |
| 2011-08-11 | CVE-2011-1357 | Cross-Site Scripting vulnerability in IBM Websphere Service Registry and Repository Cross-site scripting (XSS) vulnerability in agentDetect.jsp in the web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 before 6.3.0.5, 7.0 before 7.0.0.5, and 7.5 before 7.5.0.1 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header. | 4.3 |
| 2011-07-27 | CVE-2011-2893 | Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2 The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. | 4.3 |
| 2011-07-27 | CVE-2011-2888 | Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2 IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. | 4.3 |
| 2011-07-27 | CVE-2011-2887 | Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2 IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. | 4.3 |
| 2011-07-27 | CVE-2011-2886 | Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2 IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. | 4.3 |
| 2011-07-27 | CVE-2011-2885 | Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2 IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. | 4.3 |