CVE-2021-39018

IBM Engineering Lifecycle Optimization - Publishing (Document Builder) contains a SQL injection-related information disclosure (CVE-2021-39018) affecting PUB 7.0, 7.0.1, 7.0.2 and RPE 6.0.6, 6.0.6.1. The root cause is missing UI validation in the Folder Name field, allowing sensitive data to be d...

CVE-2021-39018

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose sensitive information in a SQL error message that could aid in further attacks against the system. IBM X-Force ID: 213726...

CVE-2021-39017

CVE-2021-39017 overview (IBM ELM Publishing) : The vulnerability arises from improper access controls in IBM Engineering Lifecycle Optimization - Publishing, allowing a remote attacker to upload arbitrary files. Affected versions are PUB 6.0.x and 7.0.x lines, including 6.0.6, 6.0.6.1, 7.0, 7.0.1...

CVE-2021-39017

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 213725...

CVE-2021-39016

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. IBM X-Force ID: 213722...

CVE-2021-39016

CVE-2021-39016 affects IBM Engineering Lifecycle Optimization - Publishing across multiple releases (PUB 7.0, 7.0.1, 7.0.2 and RPE 6.0.6, 6.0.6.1). The issue is inadequate monitoring/controlling of transmitted network traffic volume, allowing an actor to cause the software to transmit more traffi...

CVE-2021-39015

IBM Engineering Lifecycle Optimization - Publishing 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2021-39015

IBM Engineering Lifecycle Optimization - Publishing is affected by CVE-2021-39015. The vulnerability is a cross-site scripting flaw in IBM Publishing 7.0, 7.0.1, and 7.0.2 caused by lack of data checksum filtering/output of user-supplied data, allowing arbitrary JavaScript in the Web UI and poten...

IBM Engineering Lifecycle Optimization 跨站脚本漏洞

IBM Engineering Lifecycle Optimization ELO is an extension of the Engineering Lifecycle Management ELM portfolio from IBM America. They make it easier to collect and analyze data across the development environment to make better decisions. Automate reporting to ensure that the entire organization...

IBM Engineering Lifecycle Optimization 安全漏洞

IBM Engineering Lifecycle Optimization ELO is an extension of the Engineering Lifecycle Management ELM portfolio from International Business Machines IBM. They make it easier to collect and analyze data across the development environment to make better decisions. Automate reporting to ensure the...

IBM Engineering Lifecycle Optimization 注入漏洞

IBM Engineering Lifecycle Optimization ELO is an extension of the Engineering Lifecycle Management ELM portfolio from IBM America. They make it easier to collect and analyze data across the development environment to make better decisions. Automate reporting to ensure the entire organization has...

IBM Engineering Lifecycle Optimization 安全漏洞

IBM Engineering Lifecycle Optimization ELO is an extension of the Engineering Lifecycle Management ELM portfolio from IBM America. They make it easier to collect and analyze data across the development environment to make better decisions. Automate reporting to ensure that the entire organization...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to disclose highly sensitive information (CVE-2021-39019)

Summary IBM Engineering Lifecycle Optimization - Publishing Document Builder uses the POST method to submit passwords but can be forced to use the GET method also. Highly sensitive information can be disclosed through an HTTP GET request to an authenticated userCVE-2021-39019 Vulnerability Detail...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to Host Header Injection (CVE-2021-39028)

Summary IBM Engineering Lifecycle Optimization - Publishing is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. CVE-2021-39028. Vulnerability Details CVEID: CVE-2021-39028 DESCRIPTION: IBM Engineering Lifecycle Optimization - Publishing is vulnerabl...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing Document Builder is vulnerable to SQLinjection (CVE-2021-39018)

Summary UI validation to Folder Name field is missing in IBM Engineering Lifecycle Optimization - Publishing Document Builder, resulting in display of SQL error to UI. This indicates the presence of SQL injection vulnerability. CVE-2021-39018 Vulnerability Details CVEID: CVE-2021-39018 DESCRIPTIO...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to Malicious File Upload (CVE-2021-39017)

Summary In IBM Engineering Lifecycle Optimization - Publishing, there are no file extension and content-type checks in place which helps an attacker to upload a malicious file of their choice. CVE-2021-39017 Vulnerability Details CVEID: CVE-2021-39017 DESCRIPTION: IBM Engineering Lifecycle...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to External Service Interaction (CVE-2021-39016)

Summary In IBM Engineering Lifecycle Optimization - Publishing, it is possible to induce the application to perform server-side HTTP and HTTPS requests to arbitrary domains. CVE-2021-39016. Vulnerability Details CVEID: CVE-2021-39016 DESCRIPTION: IBM Engineering Lifecycle Optimization - Publishin...

Avoiding Death by a Thousand Scripts: Using Automated Content Security Policies

Businesses know they need to secure their client-side scripts. Content security policies CSPs are a great way to do that. But CSPs are cumbersome. One mistake and you have a potentially significant client-side security gap. Finding those gaps means long and tedious hours or days in manual code...

Amazon Linux AMI : microcode_ctl (ALAS-2022-1606)

The version of microcodectl installed on the remote host is prior to 2.1-47.40. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1606 advisory. 2024-05-09: CVE-2021-33117 was added to this advisory. Improper access control for some 3rd Generation IntelR XeonR...

Debian: Security Advisory (DSA-5178-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...