| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2977 |
189 |
|
Exec Code Overflow |
2013-05-10 |
2013-05-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in IBM Notes 8.5.x before 8.5.3 FP4 Interim Fix 1 and 9.x before 9.0 Interim Fix 1 on Windows, and 8.5.x before 8.5.3 FP5 and 9.x before 9.0.1 on Linux, allows remote attackers to execute arbitrary code via a malformed PNG image in a previewed e-mail message, aka SPR NPEI96K82Q. |
|
2 |
CVE-2013-2566 |
310 |
|
|
2013-03-15 |
2013-04-19 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
|
3 |
CVE-2013-0600 |
|
|
Bypass |
2013-05-09 |
2013-05-09 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability on IBM WebSphere DataPower XC10 Appliance devices 2.0 and 2.1 through 2.1 FP3 allows remote attackers to bypass authentication and perform administrative actions via unknown vectors. |
|
4 |
CVE-2013-0593 |
|
|
Exec Code |
2013-04-26 |
2013-04-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the olch2x32 ActiveX control in IBM SPSS SamplePower 3.0 before 3.0-IM-S3SAMPC-WIN32-FP001 allows remote attackers to execute arbitrary code via unknown vectors. |
|
5 |
CVE-2013-0584 |
200 |
|
+Info |
2013-04-23 |
2013-04-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Data Replication Dashboard component in IBM InfoSphere Replication Server 9.7 and 10.x before 10.2.0.0-b113 allows remote attackers to obtain a list of all user accounts, along with information about whether each account requires a password, via unspecified vectors. |
|
6 |
CVE-2013-0582 |
79 |
|
XSS |
2013-05-02 |
2013-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a SAML 2.0 response. |
|
7 |
CVE-2013-0578 |
287 |
|
+Info |
2013-05-10 |
2013-05-10 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The Sterling Order Management APIs in IBM Sterling Multi-Channel Fulfillment Solution 8.0 before HF128 and IBM Sterling Selling and Fulfillment Foundation 8.5 before HF93, 9.0 before HF73, 9.1.0 before FP45, and 9.2.0 before FP17, when the API tester is enabled, do not require administrative credentials, which allows remote authenticated users to obtain sensitive database information via a request to the API tester URI. |
|
8 |
CVE-2013-0572 |
79 |
|
XSS |
2013-04-26 |
2013-05-01 |
2.3 |
None |
Local Network |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors. |
|
9 |
CVE-2013-0571 |
79 |
|
XSS |
2013-04-26 |
2013-04-29 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
10 |
CVE-2013-0569 |
79 |
|
XSS |
2013-04-26 |
2013-05-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Communities component in IBM Connections 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
11 |
CVE-2013-0565 |
79 |
|
XSS |
2013-04-24 |
2013-04-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the RPC adapter for the Web 2.0 and Mobile toolkit in IBM WebSphere Application Server (WAS) 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted response. |
|
12 |
CVE-2013-0553 |
|
|
|
2013-04-27 |
2013-04-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The client implementation in IBM Sametime 8.5.1 through 8.5.2.1, as used in Sametime Connect client, Sametime Advanced Connect client, Sametime Advanced Web client, and other products, allows remote authenticated users to send commands to individual chat users, or to all participants in a chat room, via a crafted Sametime Instant Message (IM). |
|
13 |
CVE-2013-0544 |
22 |
|
Dir. Trav. |
2013-04-24 |
2013-04-24 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Directory traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux and UNIX allows remote authenticated users to modify data via unspecified vectors. |
|
14 |
CVE-2013-0543 |
264 |
|
Bypass |
2013-04-24 |
2013-04-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors. |
|
15 |
CVE-2013-0542 |
79 |
|
XSS |
2013-04-24 |
2013-04-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via crafted field values. |
|
16 |
CVE-2013-0541 |
119 |
|
DoS Overflow |
2013-04-24 |
2013-04-24 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Windows, when a localOS registry is used in conjunction with WebSphere Identity Manger (WIM), allows local users to cause a denial of service (daemon crash) via unspecified vectors. |
|
17 |
CVE-2013-0540 |
287 |
|
Bypass |
2013-04-24 |
2013-04-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM WebSphere Application Server (WAS) Liberty Profile 8.5 before 8.5.0.2, when SSL is not enabled, does not properly validate authentication cookies, which allows remote authenticated users to bypass intended access restrictions via an HTTP session. |
|
18 |
CVE-2013-0538 |
79 |
|
XSS |
2013-05-01 |
2013-05-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in an HTML e-mail message, aka SPRs JMOY95BLM6 and JMOY95BN49. |
|
19 |
CVE-2013-0535 |
79 |
|
XSS |
2013-05-02 |
2013-05-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Classic Meeting Server in IBM Sametime 7.5.1.2 through 8.5.2.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
20 |
CVE-2013-0533 |
79 |
|
XSS |
2013-04-27 |
2013-04-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Sametime Links server in IBM Sametime 8.0.2 through 8.5.2.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
21 |
CVE-2013-0532 |
352 |
|
DoS CSRF |
2013-03-29 |
2013-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that cause a denial of service via malformed HTTP data. |
|
22 |
CVE-2013-0525 |
79 |
|
XSS |
2013-03-26 |
2013-03-27 |
1.5 |
None |
Local |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in IBM iNotes 8.5.x allow local users to inject arbitrary web script or HTML via a shared mail file, aka SPR DKEN8PDNTX. |
|
23 |
CVE-2013-0520 |
20 |
|
+Info |
2013-05-10 |
2013-05-10 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 allows remote authenticated users to obtain sensitive Java stack-trace information by providing invalid input data. |
|
24 |
CVE-2013-0519 |
200 |
|
+Info |
2013-05-10 |
2013-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 provides web-server version data in (1) an unspecified page title and (2) an unspecified HTTP header field, which allows remote attackers to obtain potentially sensitive information by reading a version string. |
|
25 |
CVE-2013-0518 |
20 |
|
|
2013-05-10 |
2013-05-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 does not refuse to be rendered in different-origin frames, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
|
26 |
CVE-2013-0513 |
|
|
+Priv |
2013-03-29 |
2013-03-29 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 create a service that lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program, related to an "Unquoted Service Path Enumeration" vulnerability. |
|
27 |
CVE-2013-0512 |
119 |
|
DoS Overflow |
2013-03-29 |
2013-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the Manual Explore browser plug-in for Firefox in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to cause a denial of service (plug-in crash) via a crafted web page. |
|
28 |
CVE-2013-0511 |
89 |
|
Exec Code Sql |
2013-03-29 |
2013-03-29 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified parameters. |
|
29 |
CVE-2013-0510 |
264 |
|
|
2013-03-29 |
2013-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 includes a security test that sends session cookies to a specific external server, which allows man-in-the-middle attackers to hijack the test account by capturing these cookies. |
|
30 |
CVE-2013-0506 |
79 |
|
XSS |
2013-03-19 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Sterling Order Management 8.0 before HF127, 8.5 before HF89, 9.0 before HF69, 9.1.0 before FP41, and 9.2.0 before FP13 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
31 |
CVE-2013-0505 |
20 |
|
|
2013-03-19 |
2013-03-21 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
IBM Sterling Order Management 8.0 before HF127, 8.5 before HF89, 9.0 before HF69, 9.1.0 before FP41, and 9.2.0 before FP13 allows remote authenticated users to conduct XPath injection attacks, and read arbitrary XML files, via unspecified vectors. |
|
32 |
CVE-2013-0503 |
79 |
|
XSS |
2013-04-23 |
2013-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Bookmarks component in IBM Lotus Connections before 4.0 CR3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
33 |
CVE-2013-0502 |
79 |
|
XSS |
2013-04-01 |
2013-04-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Information Server 8.1, 8.5 through FP3, 8.7 through FP2, and 9.1 allows remote attackers to inject arbitrary web script or HTML via a malformed URL. |
|
34 |
CVE-2013-0501 |
264 |
|
|
2013-04-12 |
2013-04-15 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The EdrawSoft EDOFFICE.EDOfficeCtrl.1 ActiveX control, as used in Edraw Office Viewer Component, the client in IBM Cognos Disclosure Management (CDM) 10.2.0, and other products, allows remote attackers to read arbitrary files, or download an arbitrary program onto a client machine and execute this program, via a crafted web site. |
|
35 |
CVE-2013-0490 |
|
|
+Priv |
2013-02-27 |
2013-02-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in IBM InfoSphere Guardium S-TAP 8.1 for DB2 on z/OS allows local users to gain privileges via unknown vectors. |
|
36 |
CVE-2013-0489 |
352 |
|
CSRF |
2013-03-27 |
2013-03-27 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote authenticated users to hijack the authentication of administrators. |
|
37 |
CVE-2013-0488 |
79 |
|
XSS |
2013-03-27 |
2013-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
38 |
CVE-2013-0487 |
287 |
|
|
2013-03-27 |
2013-03-27 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
The Java Console in IBM Domino 8.5.x allows remote authenticated users to hijack temporary credentials by leveraging knowledge of configuration details, aka SPR KLYH8TNNDN. |
|
39 |
CVE-2013-0486 |
399 |
|
DoS |
2013-03-27 |
2013-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Memory leak in the HTTP server in IBM Domino 8.5.x allows remote attackers to cause a denial of service (memory consumption and daemon crash) via GET requests, aka SPR KLYH92NKZY. |
|
40 |
CVE-2013-0483 |
310 |
|
+Info |
2013-04-05 |
2013-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The login component in SOAP Gateway in IBM IMS Enterprise Suite 1.1, 2.1, and 2.2 uses cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
41 |
CVE-2013-0478 |
79 |
|
XSS |
2013-02-20 |
2013-02-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 and 10.1 before FP1 and InfoSphere Master Data Management Server for Product Information Management 6.0, 9.0, and 9.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
42 |
CVE-2013-0477 |
79 |
|
XSS |
2013-02-20 |
2013-02-21 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 and 10.1 before FP1 and InfoSphere Master Data Management Server for Product Information Management 6.0, 9.0, and 9.1 allow remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors. |
|
43 |
CVE-2013-0474 |
200 |
|
+Info |
2013-03-29 |
2013-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Manual Explore browser plug-in in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to discover test Platform Authentication credentials via a crafted web site. |
|
44 |
CVE-2013-0473 |
79 |
|
XSS |
2013-03-29 |
2013-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allow remote attackers to inject arbitrary web script or HTML via a crafted report. |
|
45 |
CVE-2013-0472 |
|
|
|
2013-02-20 |
2013-02-21 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The Web GUI in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 6.3.1.0 and 6.4 before 6.4.0.1 allows man-in-the-middle attackers to obtain unspecified client access, and consequently obtain unspecified server access, via unknown vectors. |
|
46 |
CVE-2013-0471 |
|
|
DoS |
2013-02-20 |
2013-02-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The traditional scheduler in the client in IBM Tivoli Storage Manager (TSM) before 6.2.5.0, 6.3 before 6.3.1.0, and 6.4 before 6.4.0.1, when Prompted mode is enabled, allows remote attackers to cause a denial of service (scheduling outage) via unspecified vectors. |
|
47 |
CVE-2013-0470 |
16 |
|
|
2013-04-05 |
2013-04-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
HTTPD in IBM Netezza Performance Portal 1.0.2 allows remote authenticated users to list application directories containing asset files via a direct request to a directory URI, as demonstrated by listing image files. |
|
48 |
CVE-2013-0467 |
264 |
|
|
2013-02-20 |
2013-02-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1.1 and other products, allows remote authenticated users to read source code via a crafted URL. |
|
49 |
CVE-2013-0466 |
79 |
|
XSS |
2013-02-20 |
2013-02-20 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Message Broker 7.0 before 7.0.0.6 and 8.0 before 8.0.0.2, when wsdl support is enabled on a SOAPInput node, allows remote attackers to inject arbitrary web script or HTML via a wsdl request that is not properly handled during construction of an error message. |
|
50 |
CVE-2013-0465 |
|
|
DoS +Info |
2013-02-22 |
2013-03-04 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the IBM WebSphere Cast Iron physical and virtual appliance 6.0 and 6.1 before 6.1.0.15 and 6.3 before 6.3.0.1, when LDAP authentication is enabled, allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. |
