CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52900 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2024-52900
28 Jun 2025 — IBM Cognos Analytics 11.2.0 through 12.2.4 Fix Pack 5 and 12.0.0 through 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. • https://www.ibm.com/support/pages/node/7238163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2025-0923 – IBM Cognos Analytics information disclosure
https://notcve.org/view.php?id=CVE-2025-0923
11 Jun 2025 — IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system. • https://www.ibm.com/support/pages/node/7234674 • CWE-540: Inclusion of Sensitive Information in Source Code •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-0917 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2025-0917
11 Jun 2025 — IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. • https://www.ibm.com/support/pages/node/7234674 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-25032 – IBM Cognos Analytics denial of service
https://notcve.org/view.php?id=CVE-2025-25032
11 Jun 2025 — IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 could allow an authenticated user to cause a denial of service by sending a specially crafted request that would exhaust memory resources. • https://www.ibm.com/support/pages/node/7234674 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-56340 – IBM Cognos Analytics path traversal
https://notcve.org/view.php?id=CVE-2024-56340
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter. • https://github.com/MarioTesoro/CVE-2024-56340 • CWE-23: Relative Path Traversal •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0823 – IBM MQ path traversal
https://notcve.org/view.php?id=CVE-2025-0823
28 Feb 2025 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 and 12.0.0 through 12.0.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. • https://www.ibm.com/support/pages/node/7183676 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40695 – IBM Cognos Analytics file upload
https://notcve.org/view.php?id=CVE-2024-40695
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. • https://www.ibm.com/support/pages/node/7179496 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-51466 – IBM Cognos Analytics expression language injection
https://notcve.org/view.php?id=CVE-2024-51466
20 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement. • https://www.ibm.com/support/pages/node/7179496 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25042 – IBM Cognos Analytics cross-site scripting
https://notcve.org/view.php?id=CVE-2024-25042
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations. • https://www.ibm.com/support/pages/node/7173592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45082 – IBM Cognos Analytics HTTP open redirection
https://notcve.org/view.php?id=CVE-2024-45082
18 Dec 2024 — IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 could allow a remote attacker to conduct phishing attacks, using an ... • https://www.ibm.com/support/pages/node/7177223 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •