CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-56340 – IBM Cognos Analytics path traversal
https://notcve.org/view.php?id=CVE-2024-56340
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter. • https://github.com/MarioTesoro/CVE-2024-56340 • CWE-23: Relative Path Traversal •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0823 – IBM MQ path traversal
https://notcve.org/view.php?id=CVE-2025-0823
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 and 12.0.0 through 12.0.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. • https://www.ibm.com/support/pages/node/7183676 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49352 – IBM Cognos Anaytics XML external entity injection
https://notcve.org/view.php?id=CVE-2024-49352
05 Feb 2025 — IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. • https://www.ibm.com/support/pages/node/7181480 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38009 – IBM Cognos Analytics Mobile information disclosure
https://notcve.org/view.php?id=CVE-2023-38009
26 Jan 2025 — IBM Cognos Mobile Client 1.1 iOS may be vulnerable to information disclosure through man in the middle techniques due to the lack of certificate pinning. • https://www.ibm.com/support/pages/node/7172691 • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40695 – IBM Cognos Analytics file upload
https://notcve.org/view.php?id=CVE-2024-40695
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. • https://www.ibm.com/support/pages/node/7179496 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-51466 – IBM Cognos Analytics expression language injection
https://notcve.org/view.php?id=CVE-2024-51466
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement. • https://www.ibm.com/support/pages/node/7179496 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39081 – IBM Cognos Analytics Mobile information disclosure
https://notcve.org/view.php?id=CVE-2021-39081
19 Dec 2024 — IBM Cognos Analytics Mobile for Android 1.1.14 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM Cognos Analytics Mobile para Android 1.1.14 utiliza algoritmos criptográficos más débiles de lo esperado que podrían permitir a un atacante descifrar información altamente confidencial. • https://www.ibm.com/support/pages/node/6555140 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25042 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2024-25042
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. • https://www.ibm.com/support/pages/node/7173592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45082 – IBM Cognos Analytics HTTP open redirection
https://notcve.org/view.php?id=CVE-2024-45082
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an ... • https://www.ibm.com/support/pages/node/7177223 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41752 – IBM Cognos Analytics HTML injection
https://notcve.org/view.php?id=CVE-2024-41752
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security conte... • https://www.ibm.com/support/pages/node/7177223 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •