Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. Content VULNERABILITY DETAILS...

Security Bulletin: Tivoli Federated Identity Manager - Multiple Protocol XML signature validation bypass (CVE-2012-3314)

Abstract Tivoli Federated Identity Manager TFIM accepts specially crafted messages that can contain invalid or untrusted XML signatures for certain single sign-on protocols and token modules. TFIM could mistakenly accept a malicious message, allowing an attacker to perform actions as another user...

Security Bulletin: Tivoli Federated Identity Manager Potential security exposure with IBM WebSphere Application Server APAR PM44303 (CVE-2012-3325)

Abstract If you have installed an interim fix for PM44303, Websphere Application Server Fixpack 21 or Fixpack 23 which includes APAR PM44303, there is the potential for an authenticated user to gain access to unauthorized resources. Content VULNERABILITY DETAILS: DESCRIPTION: The Tivoli Federated...

Security Bulletin: Tivoli Federated Identity Manager Business Gateway - Multiple Protocol XML signature validation bypass (CVE-2012-3314)

Abstract Tivoli Federated Identity Manager TFIM accepts specially crafted messages that can contain invalid or untrusted XML signatures for certain single sign-on protocols and token modules. TFIM could mistakenly accept a malicious message, allowing an attacker to perform actions as another user...

Security Bulletin: IBM Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway can be affected by a vulnerability in the IBM GSKit library (CVE-2013-0169)

Abstract CVE-2013-0169 - The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky...

Security Bulletin: Tivoli Federated Identity Manager One Time Password Enforcement (CVE-2013-5429)

Summary Under certain conditions, it may be possible to reuse IBM Tivoli Federated Identity Manager TFIM provided One Time Password tokens. Vulnerability Details CVE ID: CVE-2013-5429 DESCRIPTION: The Tivoli Federated Identity Manager 6.2.2 Risk Based Access feature can be configured to require...

CVE-2015-4959

Cross-site scripting XSS vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL...

CVE-2015-4959

CVE-2015-4959 affects IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 prior to FP16, where improper validation of user-supplied input allows cross-site scripting via a crafted URL. The vulnerability could enable an attacker to execute script in a victim’s browser, potentially stealing credenti...

CVE-2015-4959

Cross-site scripting XSS vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL...

CVE-2014-3097

Open redirect vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0-TIV-TFIM-IF0015, 6.2.1 before 6.2.1-TIV-TFIM-IF0007, and 6.2.2 before 6.2.2-TIV-TFIM-IF0011 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified...

CVE-2013-5429

The Risk Based Access functionality in IBM Tivoli Federated Identity Manager TFIM 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.2 before FP9 does not prevent reuse of One Time Password OTP tokens, which makes it easier for remote authenticated users to complet...

CVE-2013-5429

The CVE-2013-5429 issue affects IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and TFIMBG 6.2.2 before FP9. Vulnerability: Risk Based Access allows reuse of One Time Password (OTP) tokens under certain conditions, enabling a remote authenticated user to complete transactions by lev...

Open redirect

Open redirect vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, and 6.2.2 before IF 8 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, and 6.2.2 before IF 8 allows remote attackers...

CVE-2013-5431

CVE-2013-5431 describes an open redirect vulnerability in IBM Tivoli Federated Identity Manager (TFIM) and TFIMBG . Affected TFIM versions: 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, 6.2.2 before IF 8; TFIMBG: 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, 6.2.2 before IF 8. The flaw allows a...

CVE-2013-0582

Cross-site scripting XSS vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject...

Cross site scripting

Cross-site scripting XSS vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject...

CVE-2013-0582

The CVE-2013-0582 issue is an XSS vulnerability in IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4, and TFIMBG 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5. A crafted URL that triggers a SAML 2.0 response allows remote ...

Design/Logic Flaw

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed i...

CVE-2012-6359

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed i...

CVE-2012-6359

IBM TFIM and TFIMBG are affected by CVE-2012-6359: versions 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not verify that OpenID attributes are signed in SREG/AX, allowing unsigned attributes to be inserted and potentially spoofed by an attacker. The issue can be exploi...