CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1813
https://notcve.org/view.php?id=CVE-2018-1813
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 150017. IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0 y 9.0.5.0 emplea listas negras incompletas para validar entradas, lo que permite que los atacantes omitan los controles de la aplicación, lo que provoca un impacto directo al sistema y a la integridad de los datos. IBM X-Force ID: 150017. • http://www.ibm.com/support/docview.wss?uid=ibm10787785 https://exchange.xforce.ibmcloud.com/vulnerabilities/150017 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1740
https://notcve.org/view.php?id=CVE-2018-1740
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148419. IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0 y 9.0.5.0 es vulnerable a Cross-Site Scripting (XSS). Esta vulnerabilidad permite que los usuarios embeban código JavaScript arbitrario en la interfaz de usuario web, lo que altera las funcionalidades previstas. • http://www.ibm.com/support/docview.wss?uid=ibm10787785 https://exchange.xforce.ibmcloud.com/vulnerabilities/148419 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1815
https://notcve.org/view.php?id=CVE-2018-1815
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 for Enterprise Single-Sign On is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150019. IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0 y 9.0.5.0 para Enterprise Single-Sign On es vulnerable a Cross-Site Scripting (XSS). Esta vulnerabilidad permite que los usuarios embeban código JavaScript arbitrario en la interfaz de usuario web, lo que altera las funcionalidades previstas. • http://www.ibm.com/support/docview.wss?uid=ibm10787785 https://exchange.xforce.ibmcloud.com/vulnerabilities/150019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1887
https://notcve.org/view.php?id=CVE-2018-1887
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 152078. IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0 y 9.0.5.0 contiene credenciales embebidas, como una contraseña o una clave criptográfica, que emplea para su propia autenticación entrante, comunicación saliente hacia componentes externos o para cifrar datos internos. IBM X-Force ID: 152078. • http://www.ibm.com/support/docview.wss?uid=ibm10787785 https://exchange.xforce.ibmcloud.com/vulnerabilities/152078 • CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1804
https://notcve.org/view.php?id=CVE-2018-1804
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 149703. IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0 y 9.0.5.0 no establece el atributo "secure" en los tokens de autorización o las cookies de sesión. Esto podría permitir que un atacante explote esta vulnerabilidad para obtener información sensible empleando técnicas Man-in-the-Middle (MitM). • http://www.ibm.com/support/docview.wss?uid=ibm10787785 https://exchange.xforce.ibmcloud.com/vulnerabilities/149703 • CWE-384: Session Fixation •