CVE-2018-1443
https://notcve.org/view.php?id=CVE-2018-1443
An XML parsing vulnerability affects IBM SAML-based single sign-on (SSO) systems (IBM Security Access Manager 9.0.0 - 9.0.4 and IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.) This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim users password. IBM X-Force ID: 139754. Una vulnerabilidad de análisis sintáctico de XML afecta a los sistemas SSO (Single Sign On) basados en SAML de IBM (IBM Security Access Manager 9.0.0 - 9.0.4 e IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.). Esta vulnerabilidad puede permitir que un atacante con acceso autenticado engañe a los sistemas SAML para que se autentique como un usuario diferente sin conocer la contraseña de usuario de la víctima. • http://www.ibm.com/support/docview.wss?uid=swg22014160 http://www.ibm.com/support/docview.wss?uid=swg22014161 http://www.securityfocus.com/bid/103365 http://www.securitytracker.com/id/1040454 http://www.securitytracker.com/id/1040455 https://exchange.xforce.ibmcloud.com/vulnerabilities/139754 • CWE-287: Improper Authentication •
CVE-2016-0351
https://notcve.org/view.php?id=CVE-2016-0351
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 does not set the secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. IBM X-Force ID: 111890. IBM Security Identity Manager Virtual Appliance, en versiones 7.0.x anteriores a 7.0.1.3-ISS-SIM-IF0001 no establece la marca secure para la cookie de sesión en una sesión HTTPS. Esto facilita que atacantes remotos capturen esta cookie interceptando su transmisión en una sesión HTTP. IBM X-Force ID: 111890. • http://www-01.ibm.com/support/docview.wss?uid=swg21989198 https://exchange.xforce.ibmcloud.com/vulnerabilities/111890 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-0367
https://notcve.org/view.php?id=CVE-2016-0367
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 112072. IBM Security Identity Manager Virtual Appliance, en versiones 7.0.x anteriores a la 7.0.1.3-ISS-SIM-IF0001 permite que usuarios autenticados remotos obtengan información sensible mediante la lectura de un mensaje de error. IBM X-Force ID: 112072. • http://www-01.ibm.com/support/docview.wss?uid=swg21989198 https://exchange.xforce.ibmcloud.com/vulnerabilities/112072 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-0366
https://notcve.org/view.php?id=CVE-2016-0366
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 might allow remote attackers to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 112071. IBM Security Identity Manager Virtual Appliance, en versiones 7.0.x anteriores a la 7.0.1.3-ISS-SIM-IF0001 podría permitir que atacantes remotos obtengan información sensible aprovechando el cifrado débil. IBM X-Force ID: 112071. • http://www-01.ibm.com/support/docview.wss?uid=swg21986260 https://exchange.xforce.ibmcloud.com/vulnerabilities/112071 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-0336
https://notcve.org/view.php?id=CVE-2016-0336
Cross-site scripting (XSS) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111737. Vulnerabilidad de Cross-Site Scripting (XSS) en IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 hasta la versión 7.0.1.0 anterior a 7.0.1-ISS-SIM-FP0001 permite que usuarios autenticados remotos inyecten scripts web o HTML arbitrarios mediante vectores sin especificar. IBM X-Force ID: 111737. • http://www-01.ibm.com/support/docview.wss?uid=swg21981438 https://exchange.xforce.ibmcloud.com/vulnerabilities/111737 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •