CVE-2014-0915
https://notcve.org/view.php?id=CVE-2014-0915
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via (1) the KPI display name field or (2) a portlet field. Múltiples vulnerabilidades de XSS en IBM Maximo Asset Management 6.2 hasta 6.2.8, 6.x y 7.1 hasta 7.1.1.2 y 7.5 hasta 7.5.0.6; Maximo Asset Management 7.5 hasta 7.5.0.3 y 7.5.1 hasta 7.5.1.2 para SmartCloud Control Desk; y Maximo Asset Management 6.2 hasta 6.2.8, 7.1 hasta 7.1.1.2 y 7.2 para Tivoli Asset Management for IT y ciertos otros productos permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el campo KPI display name o (2) un campo portlet. • http://secunia.com/advisories/59570 http://secunia.com/advisories/59640 http://www-01.ibm.com/support/docview.wss?uid=swg1IV56680 http://www-01.ibm.com/support/docview.wss?uid=swg21678894 http://www.securityfocus.com/archive/1/533110/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/91884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0914
https://notcve.org/view.php?id=CVE-2014-0914
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management for IT and Maximo Service Desk allows remote authenticated users to inject arbitrary web script or HTML via the Query Description Field. Vulnerabilidad de XSS en IBM Maximo Asset Management 6.2 hasta 6.2.8 y 6.x y 7.x hasta 7.5.0.6, Maximo Asset Management 7.5 hasta 7.5.0.3 y 7.5.1 hasta 7.5.1.2 para SmartCloud Control Desk y Maximo Asset Management 6.2 hasta 6.2.8 para Tivoli IT Asset Management for IT y Maximo Service Desk permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo Query Description. • http://secunia.com/advisories/59570 http://secunia.com/advisories/59640 http://www-01.ibm.com/support/docview.wss?uid=swg1IV56679 http://www-01.ibm.com/support/docview.wss?uid=swg21678885 http://www.securityfocus.com/archive/1/533110/100/0/threaded http://www.securityfocus.com/bid/68839 https://exchange.xforce.ibmcloud.com/vulnerabilities/91883 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3025
https://notcve.org/view.php?id=CVE-2014-3025
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via unspecified input to a .jsp file under webclient/utility/. Múltiples vulnerabilidades de XSS en IBM Maximo Asset Management 6.2 hasta 6.2.8, 6.x y 7.1 hasta 7.1.1.2 y 7.5 hasta 7.5.0.6; Maximo Asset Management 7.5 hasta 7.5.0.3 y 7.5.1 hasta 7.5.1.2 para SmartCloud Control Desk; y Maximo Asset Management 6.2 hasta 6.2.8, 7.1 hasta 7.1.1.2 y 7.2 para Tivoli Asset Management for IT y ciertos otros productos permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de entradas no especificadas en un fichero .jsp bajo webclient/utility/. • http://secunia.com/advisories/59570 http://secunia.com/advisories/59640 http://www-01.ibm.com/support/docview.wss?uid=swg1IV57241 http://www-01.ibm.com/support/docview.wss?uid=swg21678754 https://exchange.xforce.ibmcloud.com/vulnerabilities/93064 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3026
https://notcve.org/view.php?id=CVE-2014-3026
CRLF injection vulnerability in IBM Maximo Asset Management 7.5 through 7.5.0.6, and 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en IBM Maximo Asset Management 7.5 hasta 7.5.0.6 y 7.5 hasta 7.5.0.3 y 7.5.1 hasta 7.5.1.2 para SmartCloud Control Desk, permite a usuarios remotos autenticados inyectar cabeceras HTTP arbitrarias y realizar ataques de división de respuestas HTTP a través de vectores no especificados. • http://secunia.com/advisories/59570 http://www-01.ibm.com/support/docview.wss?uid=swg21678798 https://exchange.xforce.ibmcloud.com/vulnerabilities/93065 •
CVE-2014-0849
https://notcve.org/view.php?id=CVE-2014-0849
IBM Maximo Asset Management 7.x before 7.5.0.3 IFIX027 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to gain privileges by leveraging membership in two security groups. IBM Maximo Asset Management 7.x anterior a 7.5.0.3 IFIX027 y SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 permiten a usuarios remotos autenticados ganar privilegios mediante el aprovechamiento de la pertenencia a dos grupos de seguridad. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV53952 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90738 • CWE-264: Permissions, Privileges, and Access Controls •