10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.093 Low
EPSS
Percentile
94.6%
A number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.
CVE ID: CVE-2013-5443
DESCRIPTION:
A Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87819> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
CVE ID: CVE-2013-5445
DESCRIPTION:
Encrypted credentials can be remotely retrieved from the IBM Cognos Express server.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87821> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
CVE ID: CVE-2013-5444
DESCRIPTION:
Encryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to.
CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87820> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
CVE ID: CVE-2013-2407
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service.
CVSS:
CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85044> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
CVE ID: CVE-2013-2450
**DESCRIPTION: **The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85057> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
CVE ID: CVE-2013-0169
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as “Lucky Thirteen.” The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
CVE ID: CVE-2013-1478** **
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81754>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
CVE ID: CVE-2013-1480
**DESCRIPTION: **The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81757>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
None. Install the fixes as listed above.