Vulnerabilities > IBM > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-07-05 | CVE-2009-0904 | Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests. | 6.4 |
| 2009-06-25 | CVE-2009-2212 | Unspecified vulnerability in IBM Rational Clearquest The CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows attackers to discover a (1) username or (2) password via unspecified vectors. | 5.0 |
| 2009-06-25 | CVE-2009-2211 | Cross-Site Scripting vulnerability in IBM Rational Clearquest Cross-site scripting (XSS) vulnerability in the CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-06-08 | CVE-2009-1953 | Permissions, Privileges, and Access Controls vulnerability in IBM Filenet Content Manager 4.0/4.0.1/4.5 IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, as used in IBM WebSphere Application Server (WAS) and Oracle BEA WebLogic Application Server, when the CE Web Services listener has a certain WSEAF configuration, does not properly restrict use of a cached Subject, which allows remote attackers to obtain access with the credentials of a recently authenticated user via unspecified vectors. | 4.6 |
| 2009-06-03 | CVE-2009-1906 | Denial-Of-Service vulnerability in DB2 9.1/9.5 The DRDA Services component in IBM DB2 9.1 before FP7 and 9.5 before FP4 allows remote attackers to cause a denial of service (memory corruption and application crash) via an IPv6 address in the correlation token in the APPID string, as demonstrated by an APPID string sent by the third-party DataDirect JDBC driver 3.7.32. network ibm | 4.3 |
| 2009-06-03 | CVE-2008-2154 | Configuration vulnerability in IBM DB2 8.0/9.1/9.5 IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP2 provides an INSTALL_JAR (aka sqlj.install_jar) procedure, which allows remote authenticated users to create or overwrite arbitrary files via unspecified calls. | 6.0 |
| 2009-06-03 | CVE-2009-1900 | Information Exposure vulnerability in IBM Websphere Application Server The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool. | 5.0 |
| 2009-06-03 | CVE-2009-1898 | Information Exposure vulnerability in IBM Websphere Application Server The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. | 5.0 |
| 2009-06-03 | CVE-2009-0899 | Permissions, Privileges, and Access Controls vulnerability in IBM products IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors. | 4.3 |
| 2009-05-26 | CVE-2009-1786 | Race Condition vulnerability in IBM AIX 5.3/6.1 The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable. | 6.9 |