Security Identity Manager Security Vulnerabilities
IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code. IBM X-Force ID: ...
4.4CVSS
6AI Score
0.0004EPSS
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: ...
8.8CVSS
8.5AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: ...
6.5CVSS
6.8AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager virtual appliance component 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID:...
7.5CVSS
7.2AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager 10.01 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: ...
5.3CVSS
5AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager 10.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...
6.1CVSS
5.7AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager 10.0.1 stores sensitive information including user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: ...
4.4CVSS
4.3AI Score
0.0004EPSS
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID:...
6.5CVSS
5.9AI Score
0.001EPSS
IBM Security Verify Governance, Identity Manager 10.0.1 software component could allow an authenticated user to modify or cancel any other user's access request using man-in-the-middle techniques. IBM X-Force ID:...
5.3CVSS
4.9AI Score
0.0005EPSS
IBM Security Verify Governance, Identity Manager 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID:...
7.5CVSS
7.2AI Score
0.001EPSS
IBM Security Identity Manager 6.0 and 6.0.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a.....
6.1CVSS
5.8AI Score
0.001EPSS
IBM Security Verify Governance Identity Manager 10.0 virtual appliance component performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID:...
9.8CVSS
8.9AI Score
0.001EPSS
IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID:...
7.5CVSS
7.2AI Score
0.001EPSS
IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID:...
7.5CVSS
7.1AI Score
0.001EPSS
IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID:...
7.5CVSS
7.1AI Score
0.001EPSS
IBM Security Verify Identity Manager 10.0 could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request. IBM X-Force ID:...
3.8CVSS
4.7AI Score
0.001EPSS
IBM Security Identity Governance and Intelligence 5.2.4, 5.2.5, and 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man...
5.9CVSS
5.4AI Score
0.001EPSS
IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of...
6.5CVSS
6.4AI Score
0.001EPSS
IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of...
6.5CVSS
6.4AI Score
0.001EPSS
IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap based buffer overflow, caused by improper bounds. An authenticared user could overflow the buffer and cause the service to crash. IBM X-Force ID:...
6.5CVSS
6.9AI Score
0.001EPSS
IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote authenticated attacker could overflow the and cause the server to crash. IBM X-Force ID:...
6.5CVSS
6.8AI Score
0.002EPSS
IBM Security Identity Manager Adapters 6.0 and 7.0 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and takeover other accounts. IBM X-Force ID:...
8.8CVSS
8.3AI Score
0.002EPSS
IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A remote authenticated attacker could overflow the and cause the server to crash. IBM X-Force ID:...
6.5CVSS
6.8AI Score
0.002EPSS
IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID:...
6.5CVSS
6AI Score
0.001EPSS
IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passwords of other users in the Windows AD environment when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID:...
6.5CVSS
6.4AI Score
0.001EPSS
IBM Security Identity Manager 7.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID:...
7.5CVSS
7.8AI Score
0.001EPSS
IBM Security Identity Manager 7.0.2 could allow an authenticated user to bypass security and perform actions that they should not have access to. IBM X-Force ID:...
8.8CVSS
8.4AI Score
0.001EPSS
IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force...
5.9CVSS
5.5AI Score
0.002EPSS
IBM Security Identity Manager 7.0.2 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID:...
5.3CVSS
5.7AI Score
0.001EPSS
IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID:...
7.5CVSS
7AI Score
0.002EPSS
IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID:...
6.5CVSS
6.6AI Score
0.001EPSS
IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID:...
5.3CVSS
5.7AI Score
0.001EPSS
IBM Security Identity Manager Virtual Appliance 7.0.2 writes information to log files which can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. IBM X-Force ID:...
2.7CVSS
8AI Score
0.001EPSS
IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the....
4.3CVSS
7.9AI Score
0.001EPSS
IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID:...
7.8CVSS
7.8AI Score
0.0004EPSS
IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID:...
2.7CVSS
7.9AI Score
0.001EPSS
IBM Security Identity Manager 7.0.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID:...
4.9CVSS
8.5AI Score
0.003EPSS
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
5AI Score
0.001EPSS
IBM Security Identity Manager 7.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID:...
9.8CVSS
8.6AI Score
0.001EPSS
IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the...
8.8CVSS
8.6AI Score
0.012EPSS
IBM Security Identity Manager 7.0.1 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID:...
5.3CVSS
6.8AI Score
0.001EPSS
IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a user's identity is correct which can lead to the exposure of resources or functionality to unintended actors. IBM X-Force ID:...
5.4CVSS
8.4AI Score
0.001EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force...
8.8CVSS
8.7AI Score
0.002EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID:...
7.5CVSS
8.3AI Score
0.002EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:...
8.8CVSS
8.5AI Score
0.001EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID:...
4.3CVSS
8.5AI Score
0.001EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID:...
3.3CVSS
7.7AI Score
0.0004EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID:...
4.3CVSS
8AI Score
0.001EPSS
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID:...
7.5CVSS
8.2AI Score
0.001EPSS
IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalidate session tokens when the logout button is pressed. The lack of proper session termination may allow attackers with local access to login into a closed browser session. IBM X-Force ID:...
3.3CVSS
6.5AI Score
0.0004EPSS