CVE-2023-35011 – IBM Cognos Analytics server-side request forgey
https://notcve.org/view.php?id=CVE-2023-35011
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 257705. • https://exchange.xforce.ibmcloud.com/vulnerabilities/257705 https://security.netapp.com/advisory/ntap-20230921-0005 https://security.netapp.com/advisory/ntap-20240621-0005 https://www.ibm.com/support/pages/node/7026692 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-35009 – IBM Cognos Analytics information disclosure
https://notcve.org/view.php?id=CVE-2023-35009
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks. IBM X-Force ID: 257703. • https://exchange.xforce.ibmcloud.com/vulnerabilities/257703 https://security.netapp.com/advisory/ntap-20230831-0014 https://security.netapp.com/advisory/ntap-20240621-0005 https://www.ibm.com/support/pages/node/7026692 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2023-28530 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2023-28530
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting, caused by improper validation of SVG Files in Custom Visualizations. A remote attacker could exploit this vulnerability to execute scripts in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 251214. • https://exchange.xforce.ibmcloud.com/vulnerabilities/251214 https://security.netapp.com/advisory/ntap-20230814-0005 https://www.ibm.com/support/pages/node/7012621 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25929 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2023-25929
IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 247861. • https://exchange.xforce.ibmcloud.com/vulnerabilities/247861 https://security.netapp.com/advisory/ntap-20230814-0005 https://www.ibm.com/support/pages/node/7012621 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •