| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1001 |
CVE-2020-4574 |
521 |
|
|
2020-07-29 |
2020-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 184181. |
|
1002 |
CVE-2020-4573 |
200 |
|
+Info |
2020-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could disclose sensitive information due to responding to unauthenticated HTTP requests. IBM X-Force ID: 184180. |
|
1003 |
CVE-2020-4572 |
200 |
|
+Info |
2020-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 184179. |
|
1004 |
CVE-2020-4569 |
668 |
|
Bypass |
2020-07-29 |
2020-07-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. IBM X-Force ID: 184158. |
|
1005 |
CVE-2020-4567 |
522 |
|
|
2020-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 184156. |
|
1006 |
CVE-2020-4527 |
384 |
|
+Info |
2020-07-20 |
2020-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM X-Force ID: 182631. |
|
1007 |
CVE-2020-4513 |
79 |
|
XSS |
2020-07-14 |
2020-07-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182368. |
|
1008 |
CVE-2020-4512 |
78 |
|
Exec Code |
2020-07-14 |
2020-07-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
IBM QRadar SIEM 7.3 and 7.4 could allow a remote privileged user to execute commands. |
|
1009 |
CVE-2020-4511 |
|
|
DoS |
2020-07-14 |
2020-07-14 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM QRadar SIEM 7.3 and 7.4 could allow an authenticated user to cause a denial of service of the qflow process by sending a malformed sflow command. IBM X-Force ID: 182366. |
|
1010 |
CVE-2020-4510 |
611 |
|
|
2020-07-14 |
2020-07-14 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 182365. |
|
1011 |
CVE-2020-4498 |
200 |
|
+Info |
2020-07-27 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privileged user to obtain highly sensitve information due to inclusion of data within trace files. IBM X-Force ID: 182118. |
|
1012 |
CVE-2020-4466 |
|
|
DoS |
2020-07-20 |
2020-07-22 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM MQ for HPE NonStop 8.0.4 and 8.1.0 could allow a remote authenticated attacker could cause a denial of service due to an error within the Queue processing function. IBM X-Force ID: 181563. |
|
1013 |
CVE-2020-4465 |
120 |
|
DoS Overflow |
2020-07-28 |
2020-07-28 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. A remote attacker could overflow the buffer using an older client and cause a denial of service. IBM X-Force ID: 181562. |
|
1014 |
CVE-2020-4464 |
502 |
|
Exec Code |
2020-07-17 |
2020-07-22 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489. |
|
1015 |
CVE-2020-4463 |
611 |
|
|
2020-07-29 |
2020-07-30 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484. |
|
1016 |
CVE-2020-4462 |
611 |
|
|
2020-07-16 |
2020-07-22 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Sterling External Authentication Server 6.0.1, 6.0.0, 2.4.3.2, and 2.4.2 and IBM Sterling Secure Proxy 6.0.1, 6.0.0, 3.4.3, and 3.4.2 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181482. |
|
1017 |
CVE-2020-4447 |
79 |
|
XSS |
2020-07-23 |
2020-07-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM FileNet Content Manager 5.5.3 and 5.5.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 181227. |
|
1018 |
CVE-2020-4420 |
404 |
|
DoS Exec Code |
2020-07-01 |
2020-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the execution of a terminate command. IBM X-Force ID: 180076. |
|
1019 |
CVE-2020-4414 |
732 |
|
DoS +Info |
2020-07-01 |
2021-07-21 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local attacker to perform unauthorized actions on the system, caused by improper usage of shared memory. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. IBM X-Force ID: 179989. |
|
1020 |
CVE-2020-4408 |
522 |
|
|
2020-07-27 |
2020-07-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The IBM QRadar Advisor 1.1 through 2.5.2 with Watson App for IBM QRadar SIEM does not adequately mask all passwords during input, which could be obtained by a physical attacker nearby. IBM X-Force ID: 179536. |
|
1021 |
CVE-2020-4405 |
532 |
|
|
2020-07-27 |
2020-07-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 could disclose potentially sensitive information to an authenticated user due to world readable log files. IBM X-Force ID: 179484. |
|
1022 |
CVE-2020-4400 |
522 |
|
|
2020-07-22 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 179478. |
|
1023 |
CVE-2020-4399 |
|
|
DoS |
2020-07-22 |
2020-07-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 could allow an authenticated user to send malformed requests to cause a denial of service against the server. IBM X-Force ID: 179476. |
|
1024 |
CVE-2020-4397 |
319 |
|
+Info |
2020-07-22 |
2020-07-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 transmits sensitive information in plain text which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 179428. |
|
1025 |
CVE-2020-4387 |
362 |
|
+Info |
2020-07-01 |
2020-07-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to obtain sensitive information using a race condition of a symbolic link. IBM X-Force ID: 179269. |
|
1026 |
CVE-2020-4386 |
362 |
|
+Info |
2020-07-01 |
2020-07-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to obtain sensitive information using a race condition of a symbolic link. IBM X-Force ID: 179268. |
|
1027 |
CVE-2020-4385 |
798 |
|
|
2020-07-22 |
2020-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 179266. |
|
1028 |
CVE-2020-4376 |
|
|
DoS |
2020-07-01 |
2020-07-07 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0.4 and 8.1.0 could allow an attacker to cause a denial of service caused by an error within the pubsub logic. IBM X-Force ID: 179081. |
|
1029 |
CVE-2020-4375 |
772 |
|
DoS |
2020-07-28 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. IBM X-Force ID: 179080. |
|
1030 |
CVE-2020-4372 |
522 |
|
|
2020-07-22 |
2020-07-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 179009 |
|
1031 |
CVE-2020-4371 |
922 |
|
|
2020-07-22 |
2020-07-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains sensitive information in leftover debug code that could be used aid a local user in further attacks against the system. IBM X-Force ID: 179008. |
|
1032 |
CVE-2020-4369 |
312 |
|
+Info |
2020-07-22 |
2020-07-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 stores highly sensitive information in cleartext that could be obtained by a user. IBM X-Force ID: 179004. |
|
1033 |
CVE-2020-4364 |
79 |
|
XSS |
2020-07-14 |
2020-07-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178961. |
|
1034 |
CVE-2020-4363 |
120 |
|
Exec Code Overflow |
2020-07-01 |
2020-07-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 178960. |
|
1035 |
CVE-2020-4361 |
200 |
|
+Info |
2020-07-20 |
2020-07-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information by disclosing private IP addresses in HTTP responses. IBM X-Force ID: 178766. |
|
1036 |
CVE-2020-4355 |
400 |
|
DoS |
2020-07-01 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service, caused by improper handling of Secure Sockets Layer (SSL) renegotiation requests. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to increase the resource usage on the system. IBM X-Force ID: 178507. |
|
1037 |
CVE-2020-4319 |
200 |
|
+Info |
2020-07-28 |
2021-07-21 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 LTS, and 9.1 CD could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error message within the pre-v7 pubsub logic. IBM X-Force ID: 177402. |
|
1038 |
CVE-2020-4318 |
79 |
|
XSS |
2020-07-28 |
2020-07-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Intelligent Operations Center for Emergency Management, Intelligent Operations Center (IOC), and IBM Water Operations for Waternamics are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 177356. |
|
1039 |
CVE-2020-4317 |
79 |
|
XSS |
2020-07-28 |
2020-07-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Intelligent Operations Center for Emergency Management, Intelligent Operations Center (IOC), and IBM Water Operations for Waternamics are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 177355. |
|
1040 |
CVE-2020-4316 |
|
|
|
2020-07-16 |
2020-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Publishing Engine 6.0.6, 6.0.6.1, and 7.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 177354. |
|
1041 |
CVE-2020-4305 |
502 |
|
Exec Code |
2020-07-09 |
2020-07-17 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176677. |
|
1042 |
CVE-2020-4186 |
200 |
|
+Info |
2020-07-30 |
2020-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Guardium 10.5, 10.6, and 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174804. |
|
1043 |
CVE-2020-4185 |
327 |
|
|
2020-07-30 |
2020-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Guardium 10.5, 10.6, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 174803. |
|
1044 |
CVE-2020-4173 |
|
|
|
2020-07-09 |
2020-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 174682. |
|
1045 |
CVE-2020-4125 |
494 |
|
|
2020-07-20 |
2020-07-24 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Using HCL Marketing Operations 9.1.2.4, 10.1.x, 11.1.0.x, a malicious attacker could download files from the RHEL environment by doing some modification in the link, giving the attacker access to confidential information. |
|
1046 |
CVE-2020-4104 |
79 |
|
XSS |
2020-07-17 |
2020-07-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080855&sys_kb_id=971d99ed1b8ed01c086dcbfc0a4bcb6a. |
|
1047 |
CVE-2020-4100 |
913 |
|
|
2020-07-15 |
2020-07-22 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
"HCL Verse for Android was found to employ dynamic code loading. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime; however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (for example, a non-invasive update feature), it can also open the application to loading unintended code if not implemented properly." |
|
1048 |
CVE-2020-4095 |
522 |
|
+Priv |
2020-07-16 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." |
|
1049 |
CVE-2020-4077 |
|
|
Bypass |
2020-07-07 |
2020-07-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. |
|
1050 |
CVE-2020-4076 |
|
|
Bypass |
2020-07-07 |
2020-07-13 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. |
