Security Vulnerabilities - CVEs Published In July 2017
IBM Emptoris Contract Management 10.0 and 10.1 reveals detailed error messages in certain features that could cause an attacker to gain additional information to conduct further attacks. IBM X-Force ID: 116738.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-07-19
IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123678.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-07-19
IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123858.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-07-19
IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.
CVSS Score
6.5
EPSS Score
0.005
Published
2017-07-19
IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 123902.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-07-19
IBM Tivoli Endpoint Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123903.
CVSS Score
7.5
EPSS Score
0.001
Published
2017-07-19
IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 125463.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-07-19
The Screensavercc component in eLux RP before 5.5.0 allows attackers to bypass intended configuration restrictions and execute arbitrary commands with root privileges by inserting commands in a local configuration dialog in the control panel.
CVSS Score
9.8
EPSS Score
0.015
Published
2017-07-19
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-07-19
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.
CVSS Score
9.8
EPSS Score
0.013
Published
2017-07-19