CVSS: 6.5EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4016
https://notcve.org/view.php?id=CVE-2013-4016
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text. Vulnerabilidad de inyección SQL en IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140323-0749, 7.1.1.12 anterior a IFIX.20140321-1336, 7.5.x anterior a 7.5.0.3 IFIX027, 7.5.0.4 anterior a IFIX011 y 7.5.0.5 anterior a IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140207-1801 y 7.1.1.12 anterior a IFIX.20140218-1510 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un informe Birt con una clausula WHERE en texto plano. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV41871 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/85793 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.5EPSS: 0%CPEs: 29EXPL: 0CVE-2013-6741
https://notcve.org/view.php?id=CVE-2013-6741
IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837 and 7.5.x before 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837 allow remote authenticated users to obtain potentially sensitive stack-trace information by triggering a Birt error. IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837 y 7.5.x anterior a 7.5.0.5 IFIX006; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837 permite a usuarios remotos autenticados obtener información de traza de pila potencialmente sensible mediante la provocación de un error Birt. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV50316 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/89857 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.0EPSS: 0%CPEs: 25EXPL: 0CVE-2014-0849
https://notcve.org/view.php?id=CVE-2014-0849
IBM Maximo Asset Management 7.x before 7.5.0.3 IFIX027 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to gain privileges by leveraging membership in two security groups. IBM Maximo Asset Management 7.x anterior a 7.5.0.3 IFIX027 y SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 permiten a usuarios remotos autenticados ganar privilegios mediante el aprovechamiento de la pertenencia a dos grupos de seguridad. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV53952 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/90738 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 38EXPL: 0CVE-2013-5465
https://notcve.org/view.php?id=CVE-2013-5465
IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, and 7.5.0.4 before IFIX011; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 do not properly restrict file types during uploads, which allows remote authenticated users to have an unspecified impact via an invalid type. IBM Maximo Asset Management 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140323-0749, 7.1.1.12 anterior a IFIX.20140321-1336, 7.5.x anterior a 7.5.0.3 IFIX027 y 7.5.0.4 anterior a IFIX011; SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 y Tivoli IT Asset Management For IT, Tivoli Service Request Manager, Maximo Service Desk y Change And Configuration Management Database (CCMDB) 7.x anterior a 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 anterior a IFIX.20140207-1801 y 7.1.1.12 anterior a IFIX.20140218-1510 no restringen debidamente tipos de archivo durante subidas, lo que permite a usuarios remotos autenticados tener un impacto no especificado a través de un tipo inválido. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV46511 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/88364 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 26EXPL: 0CVE-2012-3333
https://notcve.org/view.php?id=CVE-2012-3333
CRLF injection vulnerability in IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter in a URL. Vulnerabilidad de inyección CRLF en IBM Maximo Asset Management 7.x anterior a 7.5.0.6 y SmartCloud Control Desk 7.x anterior a 7.5.0.3 y 7.5.1.x anterior a 7.5.1.2 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de división de respuestas HTTP a través de un parámetro manipulado en una URL. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV26377 http://www-01.ibm.com/support/docview.wss?uid=swg21670870 https://exchange.xforce.ibmcloud.com/vulnerabilities/78145 •