CVE-2022-22330
https://notcve.org/view.php?id=CVE-2022-22330
IBM Control Desk 7.6.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 219126. IBM Control Desk versión 7.6.1, podría permitir a un atacante remoto obtener información confidencial, causada por el fallo en la configuración del flag HTTPOnly. Un atacante remoto podría aprovechar esta vulnerabilidad para obtener información confidencial de la cookie. • https://exchange.xforce.ibmcloud.com/vulnerabilities/219126 https://www.ibm.com/support/pages/node/6619739 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-22329
https://notcve.org/view.php?id=CVE-2022-22329
IBM Control Desk 7.6.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 219124. IBM Control Desk versión 7.6.1, no establece el atributo de seguridad en los tokens de autorización o las cookies de sesión. • https://exchange.xforce.ibmcloud.com/vulnerabilities/219124 https://www.ibm.com/support/pages/node/6619739 •
CVE-2021-20559
https://notcve.org/view.php?id=CVE-2021-20559
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228. IBM Control Desk versiones 7.6.1.2 y 7.6.1.3, es vulnerable a un ataque de tipo cross-site scripting. Esta vulnerabilidad permite a usuarios insertar código JavaScript arbitrario en la Interfaz de Usuario Web, alterando así la funcionalidad prevista conllevando potencialmente a una divulgación de credenciales dentro de una sesión confiable. • https://exchange.xforce.ibmcloud.com/vulnerabilities/199228 https://www.ibm.com/support/pages/node/6450759 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •