Vulnerabilities > IBM > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2010-12-30 | CVE-2010-4622 | Path Traversal vulnerability in IBM Tivoli Access Manager for E-Business 6.1.1 Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 6.1.1 before 6.1.1-TIV-AWS-FP0001 on AIX allows remote attackers to read arbitrary files via a %uff0e%uff0e (encoded dot dot) in a URI. | 5.0 |
| 2010-12-29 | CVE-2010-4603 | Unspecified vulnerability in IBM Rational Clearquest IBM Rational ClearQuest 7.0.x before 7.0.1.11, 7.1.1.x before 7.1.1.4, and 7.1.2.x before 7.1.2.1 does not prevent modification of back-reference fields, which allows remote authenticated users to interfere with intended record relationships, and possibly cause a denial of service (loop) or have unspecified other impact, by (1) adding or (2) removing a back reference. | 6.5 |
| 2010-12-29 | CVE-2010-4602 | Permissions, Privileges, and Access Controls vulnerability in IBM Rational Clearquest The Web client in IBM Rational ClearQuest 7.1.1.x before 7.1.1.4 and 7.1.2.x before 7.1.2.1 allows remote authenticated users to bypass "restricted user" limitations, and read arbitrary records, via a modified record number in the URL for a RECORD action, as demonstrated by a modified bookmark. | 4.0 |
| 2010-12-29 | CVE-2010-4600 | Information Exposure vulnerability in multiple products Dojo Toolkit, as used in the Web client in IBM Rational ClearQuest 7.1.1.x before 7.1.1.4 and 7.1.2.x before 7.1.2.1, allows remote attackers to read cookies by navigating to a Dojo file, related to an "open direct" issue. | 5.0 |
| 2010-12-22 | CVE-2010-4595 | Permissions, Privileges, and Access Controls vulnerability in IBM Lotus Mobile Connect The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 disables the http.device.stanza blacklisting functionality for HTTP Access Services (HTTP-AS), which allows remote attackers to bypass intended access restrictions via an HTTP request that contains a disallowed User-Agent header. | 5.0 |
| 2010-12-22 | CVE-2010-4594 | Resource Management Errors vulnerability in IBM Lotus Mobile Connect The Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly process TCP connection requests, which allows remote attackers to cause a denial of service (memory consumption and HTTP-AS hang) by making many connection requests that trigger "queue size delta errors," related to a "timing hole" issue. | 4.3 |
| 2010-12-22 | CVE-2010-4593 | Resource Management Errors vulnerability in IBM Lotus Mobile Connect The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 does not properly maintain a certain reference count, which allows remote authenticated users to cause a denial of service (IP address exhaustion) by making invalid attempts to establish sessions with the same VPN ID from multiple devices. | 4.0 |
| 2010-12-22 | CVE-2010-4592 | Resource Management Errors vulnerability in IBM Lotus Mobile Connect The Mobile Network Connections functionality in the Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly handle failed attempts at establishing HTTP-TCP sessions, which allows remote attackers to cause a denial of service (memory consumption and daemon crash) by making many TCP connection attempts. | 4.3 |
| 2010-12-22 | CVE-2010-4591 | Improper Authentication vulnerability in IBM Lotus Mobile Connect The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch. | 4.4 |
| 2010-12-22 | CVE-2010-4590 | Cross-Site Scripting vulnerability in IBM Lotus Mobile Connect Cross-site scripting (XSS) vulnerability in HTTP Access Services (HTTP-AS) in the Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |