CVE-2018-1443
https://notcve.org/view.php?id=CVE-2018-1443
An XML parsing vulnerability affects IBM SAML-based single sign-on (SSO) systems (IBM Security Access Manager 9.0.0 - 9.0.4 and IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.) This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim users password. IBM X-Force ID: 139754. Una vulnerabilidad de análisis sintáctico de XML afecta a los sistemas SSO (Single Sign On) basados en SAML de IBM (IBM Security Access Manager 9.0.0 - 9.0.4 e IBM Tivoli Federated Identity Manager 6.2 - 6.0.2.). Esta vulnerabilidad puede permitir que un atacante con acceso autenticado engañe a los sistemas SAML para que se autentique como un usuario diferente sin conocer la contraseña de usuario de la víctima. • http://www.ibm.com/support/docview.wss?uid=swg22014160 http://www.ibm.com/support/docview.wss?uid=swg22014161 http://www.securityfocus.com/bid/103365 http://www.securitytracker.com/id/1040454 http://www.securitytracker.com/id/1040455 https://exchange.xforce.ibmcloud.com/vulnerabilities/139754 • CWE-287: Improper Authentication •
CVE-2017-1319
https://notcve.org/view.php?id=CVE-2017-1319
IBM Tivoli Federated Identity Manager 6.2 is affected by a vulnerability due to a missing secure attribute in encrypted session (SSL) cookie. IBM X-Force ID: 125731. Tivoli Federated Identity Manager versión 6.2 de IBM, está afectado por una vulnerabilidad debido a la falta de un atributo seguro en la sesión cookie cifrada (SSL). ID de IBM X-Force: 125731. • http://www-01.ibm.com/support/docview.wss?uid=swg22002871 http://www.securitytracker.com/id/1038504 https://exchange.xforce.ibmcloud.com/vulnerabilities/125731 • CWE-326: Inadequate Encryption Strength •
CVE-2017-1320
https://notcve.org/view.php?id=CVE-2017-1320
IBM Tivoli Federated Identity Manager 6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125732. Tivoli Federated Identity Manager versión 6.2 de IMB, es vulnerable a un problema de tipo cross-site-scripting. Esta vulnerabilidad permite a los usuarios insertar código JavaScript arbitrario en la interfaz de usuario web, lo que altera la funcionalidad prevista que puede conllevar a la divulgación de credenciales dentro de una sesión de confianza. • http://www.ibm.com/support/docview.wss?uid=swg22002877 http://www.securitytracker.com/id/1038505 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-4959
https://notcve.org/view.php?id=CVE-2015-4959
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 en versiones anteriores a FP16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV77558 http://www-01.ibm.com/support/docview.wss?uid=swg21974157 http://www.securitytracker.com/id/1034697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1966
https://notcve.org/view.php?id=CVE-2015-1966
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafted URL, related to the (1) ERROR_DESCRIPTION and (2) TOKEN:RelayState macros. Múltiples vulnerabilidades de XSS en IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 anterior a FP17, 6.2.1 anterior a FP9, y 6.2.2 anterior a FP15, utilizado en Security Access Manager for Mobile y otros productos, permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de una URL manipulada, relacionado con los macros (1) ERROR_DESCRIPTION y (2) TOKEN:RelayState. • http://www-01.ibm.com/support/docview.wss?uid=swg1IV74198 http://www-01.ibm.com/support/docview.wss?uid=swg1IV74199 http://www-01.ibm.com/support/docview.wss?uid=swg1IV74200 http://www-01.ibm.com/support/docview.wss?uid=swg21959071 http://www.securityfocus.com/bid/75537 http://www.securitytracker.com/id/1032767 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •