CVE-2013-4016
https://notcve.org/view.php?id=CVE-2013-4016
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text. Vulnerabilidad de inyección SQL en IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140323-0749, 7.1.1.12 anterior a IFIX.20140321-1336, 7.5.x anterior a 7.5.0.3 IFIX027, 7.5.0.4 anterior a IFIX011 y 7.5.0.5 anterior a IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140207-1801 y 7.1.1.12 anterior a IFIX.20140218-1510 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un informe Birt con una clausula WHERE en texto plano. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV41871 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/85793 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-0824
https://notcve.org/view.php?id=CVE-2014-0824
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.8 LAFIX.20140319-0839 and 7.1.1.12 before IFIX.20140321-1336 and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.8 LAFIX.20140319-0839 and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to inject arbitrary web script or HTML via an attachment URL. Vulnerabilidad de XSS en IBM Maximo Asset Management 7.x anterior a 7.1.1.8 LAFIX.20140319-0839 y 7.1.1.12 anterior a IFIX.20140321-1336 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.8 LAFIX.20140319-0839 y 7.1.1.12 anterior a IFIX.20140218-1510 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de una URL adjunta. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV52829 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90500 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0825
https://notcve.org/view.php?id=CVE-2014-0825
Cross-site scripting (XSS) vulnerability in openreport.jsp in IBM Maximo Asset Management 7.x before 7.1.1.12 IFIX.20140321-1336 and 7.5.x before 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.12 IFIX.20140218-1510 allows remote authenticated users to inject arbitrary web script or HTML via a crafted report parameter. Vulnerabilidad de XSS en openreport.jsp en IBM Maximo Asset Management 7.x anterior a 7.1.1.12 IFIX.20140321-1336 y 7.5.x anterior a 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.12 IFIX.20140218-1510 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un parámetro report manipulado. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV53362 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-5465
https://notcve.org/view.php?id=CVE-2013-5465
IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, and 7.5.0.4 before IFIX011; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 do not properly restrict file types during uploads, which allows remote authenticated users to have an unspecified impact via an invalid type. IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140323-0749, 7.1.1.12 anterior a IFIX.20140321-1336, 7.5.x anterior a 7.5.0.3 IFIX027 y 7.5.0.4 anterior a IFIX011; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140207-1801 y 7.1.1.12 anterior a IFIX.20140218-1510 no restringen debidamente tipos de archivo durante subidas, lo que permite a usuarios remotos autenticados tener un impacto no especificado a través de un tipo inválido. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV46511 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/88364 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-5402
https://notcve.org/view.php?id=CVE-2013-5402
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities 7.1.x through 7.1.1.12, 7.1.2, 7.5 before 7.5.0.3 IFIX014, and 7.5.0.5 before IFIX003; SmartCloud Control Desk (SCCD) 7.5 before 7.5.0.3 IFIX014 and 7.5.0.5 before IFIX003; and Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.1.x through 7.1.1.12, 7.1.2, and 7.2.x through 7.2.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de cross-site scripting (XSS) en IBM Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, y Maximo for Utilities 7.1.x a 7.1.1.12, 7.5 anteriores a 7.5.0.3 IFIX014, y 7.5.0.5 anteriores a IFIX003; SmartCloud Control Desk (SCCD) 7.5 anteriores a 7.5.0.3 IFIX014 y 7.5.0.5 anteriores a IFIX003; y Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, y Change y Configuration Management Database (CCMDB) 7.1.x a 7.1.1.12, 7.1.2, y 7.2.x a 7.2.1 permite a usuarios autenticados remotamente inyectar scripts web o HTML arbitrarios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV49268 http://www-01.ibm.com/support/docview.wss?uid=swg21660032 http://www.securityfocus.com/bid/64333 https://exchange.xforce.ibmcloud.com/vulnerabilities/87298 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •