CVE-2013-3323
https://notcve.org/view.php?id=CVE-2013-3323
A Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a malicious user obtain unauthorized access. Se presenta una vulnerabilidad de escalada de privilegios en IBM Maximo Asset Management versiones 7.5, 7.1 y 6.2, cuando WebSeal con Autenticación Básica es usado, debido a un fallo al invalidar la sesión de autenticación, lo que podría permitir a un usuario malicioso obtener acceso no autorizado. • http://www.securityfocus.com/bid/62685 https://exchange.xforce.ibmcloud.com/vulnerabilities/77920?_ga=2.229912220.1881683942.1582039056-713214152.1572980240 https://www.ibm.com/support/pages/node/235239 • CWE-269: Improper Privilege Management •
CVE-2018-1524
https://notcve.org/view.php?id=CVE-2018-1524
IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116. IBM Maximo Asset Management, de la versión 7.6 a la 7.6.3, se instala con una cuenta de administrador por defecto que podría ser empleada por un atacante remoto para obtener acceso de administrador al sistema. Esta vulnerabilidad existe debido a una solución incompleta para CVE-2015-4966. • https://exchange.xforce.ibmcloud.com/vulnerabilities/142116 https://www.ibm.com/support/docview.wss?uid=swg22017452 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2015-5016
https://notcve.org/view.php?id=CVE-2015-5016
IBM Maximo Asset Management 7.1, 7.5, and 7.6; Maximo Asset Management Essentials 7.1 and 7.5; Control Desk 7.5 and 7.6; Tivoli Asset Management for IT 7.1 and 7.2; and certain other IBM products allow remote authenticated users to bypass intended access restrictions and read arbitrary ticket worklog entries via unspecified vectors. IBM X-Force ID: 106460. IBM Maximo Asset Management 7.1, 7.5 y 7.6; Maximo Asset Management Essentials 7.1 y 7.5; Control Desk 7.5 y 7.6; Tivoli Asset Management for IT 7.1 y 7.2; así como otros productos de IBM permiten que usuarios autenticados remotos omitan las restricciones de acceso previstas y lean entradas del registro de tareas de tickets arbitrarias mediante vectores sin especificar. IBM X-Force ID: 106460. • http://www-01.ibm.com/support/docview.wss?uid=swg21971160 https://exchange.xforce.ibmcloud.com/vulnerabilities/106460 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5902
https://notcve.org/view.php?id=CVE-2016-5902
IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Maximo Asset Management es vulnerable a XSS. Esta vulnerabilidad permite a usuarios incrustar código JavaScript arbitrario en la interfaz Web alterando así la funcionalidad intencionada conduciendo potencialmente a la divulgación de credenciales en una sesión de confianza. • http://www.ibm.com/support/docview.wss?uid=swg21988252 http://www.securityfocus.com/bid/92535 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-7448
https://notcve.org/view.php?id=CVE-2015-7448
SQL injection vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 IFIX003, and 7.6.0 before 7.6.0.3 IFIX001; Maximo Asset Management 7.5.0 before 7.5.0.9 IFIX003, 7.5.1, and 7.6.0 before 7.6.0.3 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en IBM Maximo Asset Management 7.1 hasta la versión 7.1.1.13, 7.5.0 en versiones anteriores a 7.5.0.9 IFIX003 y 7.6.0 en versiones anteriores a 7.6.0.3 IFIX001; Maximo Asset Management 7.5.0 en versiones anteriores a 7.5.0.9 IFIX003, 7.5.1 y 7.6.0 en versiones anteriores a 7.6.0.3 IFIX001 para SmartCloud Control Desk; y Maximo Asset Management 7.1 hasta la versión 7.1.1.13 y 7.2 para Tivoli IT Asset Management for IT y otros determinados productos permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg21974938 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •