CVE-2021-29872
https://notcve.org/view.php?id=CVE-2021-29872
IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 206228. IBM Cloud Pak for Automation versiones 21.0.1 y 21.0.2 - Business Automation Studio Component es vulnerable a una inyección de encabezados HTTP, causada por una comprobación inapropiada de la entrada de los encabezados HOST. Mediante el envío de una petición HTTP especialmente diseñada, un atacante remoto podría explotar esta vulnerabilidad para inyectar el encabezado HTTP HOST, lo que permitiría al atacante llevar a cabo varios ataques contra el sistema vulnerable, incluyendo de tipo cross-site scripting, envenenamiento de caché o secuestro de sesión. • https://exchange.xforce.ibmcloud.com/vulnerabilities/206228 https://www.ibm.com/support/pages/node/6541294 • CWE-116: Improper Encoding or Escaping of Output •
CVE-2021-29775
https://notcve.org/view.php?id=CVE-2021-29775
IBM Business Automation Workflow 19.0.03 and 20.0 and IBM Cloud Pak for Automation 20.0.3-IF002 and 21.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203029. IBM Business Automation Workflow versiones 19.0.03 y 20.0 e IBM Cloud Pak for Automation versiones 20.0.3-IF002 y 21.0.1, son vulnerables a ataques de tipo cross-site scripting. Esta vulnerabilidad permite a usuarios insertar código JavaScript arbitrario en la Interfaz de Usuario Web, alterando así la funcionalidad prevista y conllevando potencialmente a una divulgación de credenciales dentro de una sesión confiable. • https://exchange.xforce.ibmcloud.com/vulnerabilities/203029 https://www.ibm.com/support/pages/node/6465127 https://www.ibm.com/support/pages/node/6467057 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-20482
https://notcve.org/view.php?id=CVE-2021-20482
IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197504. IBM Cloud Pak for Automation versiones 20.0.2 y 20.0.3 IF002, son vulnerables a un ataque de tipo External Entity Injection (XXE) al procesar datos XML. Un atacante remoto podría aprovechar esta vulnerabilidad para exponer información confidencial o consumir recursos de la memoria. • https://exchange.xforce.ibmcloud.com/vulnerabilities/197504 https://www.ibm.com/support/pages/node/6437577 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2021-20359
https://notcve.org/view.php?id=CVE-2021-20359
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966. IBM Cloud Pak for Automation versiones 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component, almacena información potencialmente confidencial en archivos de registro que podría obtener un usuario no autorizado. IBM X-Force ID: 194966 • https://exchange.xforce.ibmcloud.com/vulnerabilities/194966 https://www.ibm.com/support/pages/node/6412345 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20358
https://notcve.org/view.php?id=CVE-2021-20358
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files. IBM X-Force ID: 194965. IBM Cloud Pak for Automation versiones 20.0.3, 20.0.2-IF002, almacena información potencialmente confidencial en texto sin cifrar en archivos de registro de conexión de la API. Esta información puede ser obtenida por un usuario con permisos para leer archivos de registro. • https://exchange.xforce.ibmcloud.com/vulnerabilities/194965 https://www.ibm.com/support/pages/node/6412345 • CWE-312: Cleartext Storage of Sensitive Information •