CVE-2014-0849
https://notcve.org/view.php?id=CVE-2014-0849
IBM Maximo Asset Management 7.x before 7.5.0.3 IFIX027 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to gain privileges by leveraging membership in two security groups. IBM Maximo Asset Management 7.x anterior a 7.5.0.3 IFIX027 y SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 permiten a usuarios remotos autenticados ganar privilegios mediante el aprovechamiento de la pertenencia a dos grupos de seguridad. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV53952 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90738 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-5460
https://notcve.org/view.php?id=CVE-2013-5460
IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to bypass intended access restrictions, and read communication logs associated with unrelated records, via unspecified vectors. IBM Maximo Asset Management 7.x anterior a 7.5.0.6 y SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 permiten a usuarios remotos autenticados evadir restricciones de acceso y leer registros de comunicación asociados con registros no relacionados a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV46745 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/88308 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-6741
https://notcve.org/view.php?id=CVE-2013-6741
IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837 and 7.5.x before 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837 allow remote authenticated users to obtain potentially sensitive stack-trace information by triggering a Birt error. IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837 y 7.5.x anterior a 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837 permite a usuarios remotos autenticados obtener información de traza de pila potencialmente sensible mediante la provocación de un error Birt. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV50316 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/89857 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4016
https://notcve.org/view.php?id=CVE-2013-4016
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text. Vulnerabilidad de inyección SQL en IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140323-0749, 7.1.1.12 anterior a IFIX.20140321-1336, 7.5.x anterior a 7.5.0.3 IFIX027, 7.5.0.4 anterior a IFIX011 y 7.5.0.5 anterior a IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140207-1801 y 7.1.1.12 anterior a IFIX.20140218-1510 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un informe Birt con una clausula WHERE en texto plano. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV41871 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/85793 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-0825
https://notcve.org/view.php?id=CVE-2014-0825
Cross-site scripting (XSS) vulnerability in openreport.jsp in IBM Maximo Asset Management 7.x before 7.1.1.12 IFIX.20140321-1336 and 7.5.x before 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.12 IFIX.20140218-1510 allows remote authenticated users to inject arbitrary web script or HTML via a crafted report parameter. Vulnerabilidad de XSS en openreport.jsp en IBM Maximo Asset Management 7.x anterior a 7.1.1.12 IFIX.20140321-1336 y 7.5.x anterior a 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.12 IFIX.20140218-1510 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un parámetro report manipulado. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV53362 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •