CVE-2018-1443
https://notcve.org/view.php?id=CVE-2018-1443
An XML parsing vulnerability affects IBM SAML-based single sign-on (SSO) systems (IBM Security Access Manager 9.0.0 - 9.0.4 and IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.) This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim users password. IBM X-Force ID: 139754. Una vulnerabilidad de análisis sintáctico de XML afecta a los sistemas SSO (Single Sign On) basados en SAML de IBM (IBM Security Access Manager 9.0.0 - 9.0.4 e IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.). Esta vulnerabilidad puede permitir que un atacante con acceso autenticado engañe a los sistemas SAML para que se autentique como un usuario diferente sin conocer la contraseña de usuario de la víctima. • http://www.ibm.com/support/docview.wss?uid=swg22014160 http://www.ibm.com/support/docview.wss?uid=swg22014161 http://www.securityfocus.com/bid/103365 http://www.securitytracker.com/id/1040454 http://www.securitytracker.com/id/1040455 https://exchange.xforce.ibmcloud.com/vulnerabilities/139754 • CWE-287: Improper Authentication •
CVE-2017-1478
https://notcve.org/view.php?id=CVE-2017-1478
IBM Security Access Manager Appliance 9.0.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 128613. La versión 9.0.0 de IBM Security Access Manager Appliance permite que las páginas web se almacenen localmente, lo que permite que sean leídas por otro usuario en el sistema. IBM X-Force ID: 128613. • http://www.ibm.com/support/docview.wss?uid=swg22012323 http://www.securityfocus.com/bid/102502 http://www.securitytracker.com/id/1040172 https://exchange.xforce.ibmcloud.com/vulnerabilities/128613 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-1534
https://notcve.org/view.php?id=CVE-2017-1534
IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 130676. IBM Security Access Manager Appliance en sus versiones 8.0.0 y 9.0.0 podría permitir que un atacante remoto lleve a cabo ataques de phishing empleando un ataque de redirección abierta. • http://www.ibm.com/support/docview.wss?uid=swg22008936 http://www.securityfocus.com/bid/102509 http://www.securitytracker.com/id/1040169 https://exchange.xforce.ibmcloud.com/vulnerabilities/130676 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2017-1489
https://notcve.org/view.php?id=CVE-2017-1489
IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configurations may be affected by a redirect vulnerability. ECSSO Master Authentication can redirect to a server not participating in an e-community domain. IBM X-Force ID: 128687. Las configuraciones e-community de IBM Security Access Manager 6.1, 7.0, 8.0, y 9.0 podrían estar afectadas por una vulnerabilidad de redirección. ECSSO Master Authentication puede redireccionar a un servidor que no participa en un dominio e-community. • http://www.ibm.com/support/docview.wss?uid=swg22006959 http://www.securityfocus.com/bid/100592 http://www.securitytracker.com/id/1039227 https://exchange.xforce.ibmcloud.com/vulnerabilities/128687 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2016-3045
https://notcve.org/view.php?id=CVE-2016-3045
IBM Security Access Manager for Web stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. IBM Security Access Manager para Web almacena información sensible en parámetros URL. Esto puede dar lugar a la divulgación de información si las partes no autorizadas tienen acceso a las URL a través de los registros del servidor, el encabezado referente o el historial del navegador. • http://www.ibm.com/support/docview.wss?uid=swg21995435 http://www.securityfocus.com/bid/95103 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •