Maximo Security Vulnerabilities
IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: ...
7.5CVSS
6.7AI Score
0.0004EPSS
IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: ...
8.2CVSS
6.7AI Score
0.001EPSS
IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
6.4CVSS
6AI Score
0.0004EPSS
IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. IBM X-Force ID: ...
5.1CVSS
6AI Score
0.0004EPSS
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: ...
3.7CVSS
6.1AI Score
0.0004EPSS
IBM Maximo Asset Management 7.6.1.3 could allow a remote attacker to log into the admin panel due to improper access controls. IBM X-Force ID: ...
9.8CVSS
6.7AI Score
0.001EPSS
IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: ...
5.4CVSS
6.5AI Score
0.0004EPSS
IBM Maximo Asset Management 7.6.1.3 and Manage Component 8.10 through 8.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: ...
8.8CVSS
6.9AI Score
0.001EPSS
IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM...
5.4CVSS
5.6AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8.0 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: ...
5.3CVSS
4.9AI Score
0.001EPSS
IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: ...
5.9CVSS
5.4AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: .....
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: ...
5.4CVSS
5.6AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could disclose sensitive information in an error message. This information could be used in further attacks against the system. IBM X-Force ID: ...
5.3CVSS
4.9AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8 and 8.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: ...
5.5CVSS
5AI Score
0.0004EPSS
IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: ...
7.5CVSS
7AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: ...
8.8CVSS
8.5AI Score
0.001EPSS
IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID:...
5.5CVSS
5.1AI Score
0.0004EPSS
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to. IBM X-Force ID:...
8.1CVSS
7.7AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID:...
7.5CVSS
7AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the...
7.2CVSS
6.7AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID:...
7.5CVSS
7.3AI Score
0.001EPSS
IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse engineer the application due to the lack of binary protection precautions. IBM X-Force ID:...
6.5CVSS
6.2AI Score
0.001EPSS
IBM Maximo Anywhere 7.6.4.0 applications could allow obfuscation of the application source code. IBM X-Force ID:...
2.4CVSS
3.8AI Score
0.0005EPSS
IBM Maximo Anywhere 7.6.4.0 applications could disclose sensitive information to a user with physical access to the device. IBM X-Force ID:...
4.6CVSS
4.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID:...
9.8CVSS
9.4AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
5.2AI Score
0.001EPSS
IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID:...
8.8CVSS
8.3AI Score
0.001EPSS
IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials. IBM X-Force ID:...
6.5CVSS
6.1AI Score
0.001EPSS
IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
6.1CVSS
5.8AI Score
0.001EPSS
IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:...
4.8CVSS
5.1AI Score
0.001EPSS
IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID:...
3.3CVSS
3.5AI Score
0.0004EPSS
IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 applications can be installed on a deprecated operating system version that could compromised the confidentiality and integrity of the service. IBM X-Force ID:...
3.5CVSS
3.9AI Score
0.0005EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow an attacker to bypass authentication and issue commands using a specially crafted HTTP command. IBM X-Force ID:...
9.8CVSS
8.8AI Score
0.002EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote attacker to conduct phishing attacks, using a tabnabbing attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to redirect a user to a malicious Web site that would...
8.2CVSS
7.3AI Score
0.002EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:...
4.3CVSS
4.6AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in Java. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system......
8.8CVSS
8.6AI Score
0.009EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID:...
6.3CVSS
6.5AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID:...
4.3CVSS
4.5AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID:...
8.2CVSS
7.9AI Score
0.668EPSS
IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID:...
7.8CVSS
7AI Score
0.0004EPSS
IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:.....
5.4CVSS
5.1AI Score
0.001EPSS
IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID:...
6.3CVSS
6.5AI Score
0.001EPSS