CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-56340 – IBM Cognos Analytics path traversal
https://notcve.org/view.php?id=CVE-2024-56340
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter. • https://github.com/MarioTesoro/CVE-2024-56340 • CWE-23: Relative Path Traversal •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0823 – IBM MQ path traversal
https://notcve.org/view.php?id=CVE-2025-0823
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 and 12.0.0 through 12.0.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. • https://www.ibm.com/support/pages/node/7183676 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40695 – IBM Cognos Analytics file upload
https://notcve.org/view.php?id=CVE-2024-40695
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. • https://www.ibm.com/support/pages/node/7179496 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-51466 – IBM Cognos Analytics expression language injection
https://notcve.org/view.php?id=CVE-2024-51466
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement. • https://www.ibm.com/support/pages/node/7179496 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25042 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2024-25042
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. • https://www.ibm.com/support/pages/node/7173592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45082 – IBM Cognos Analytics HTTP open redirection
https://notcve.org/view.php?id=CVE-2024-45082
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an ... • https://www.ibm.com/support/pages/node/7177223 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41752 – IBM Cognos Analytics HTML injection
https://notcve.org/view.php?id=CVE-2024-41752
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security conte... • https://www.ibm.com/support/pages/node/7177223 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2023-35011 – IBM Cognos Analytics server-side request forgey
https://notcve.org/view.php?id=CVE-2023-35011
16 Aug 2023 — IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 257705. • https://exchange.xforce.ibmcloud.com/vulnerabilities/257705 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 14EXPL: 0CVE-2023-35009 – IBM Cognos Analytics information disclosure
https://notcve.org/view.php?id=CVE-2023-35009
16 Aug 2023 — IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks. IBM X-Force ID: 257703. • https://exchange.xforce.ibmcloud.com/vulnerabilities/257703 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2023-28530 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2023-28530
22 Jul 2023 — IBM Cognos Analytics 11.1 and 11.2 is vulnerable to stored cross-site scripting, caused by improper validation of SVG Files in Custom Visualizations. A remote attacker could exploit this vulnerability to execute scripts in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 251214. • https://exchange.xforce.ibmcloud.com/vulnerabilities/251214 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •