Security Bulletin: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Summary Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL...

Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

Summary IBM Guardium Data Security Center has addressed these vulnerabilities with an update Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because...

Security Bulletin: Multiple security vulnerabilities affect Go related packages shipped with IBM CICS TX Standard.

Summary Security vulnerabilities affect Go packages that are shipped with IBM CICS TX Standard. Go modules are used by IBM CICS TX Standard to simplify dependency management. It is possible for sensitive information to be exposed through data queries with an attacker causing an HTTP/2 endpoint to...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS is vulnerable to a remote attack due to OpenSSL (CVE-2024-9143)

Summary The DataDirect ODBC driver shipped with IBM App Connect Enterprise and IBM Integration Bus for z/OS is vulnerable to a remote attack due to OpenSSL. Vulnerability Details CVEID:CVE-2024-9143 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused...

Security Bulletin: A denial-of-service attack, TE.CL request smuggling, a man-in-the-middle attack, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service

Summary IBM Storage Defender - Resiliency Service is vulnerable denial-of-service attack, TE.CL request smuggling, a man-in-the-middle attack, and others. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-26699 DESCRIPTION: An issue was discovered in Django 5.1 before...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js modules axios and xml-crypto (CVE-2025-27152, CVE-2025-29774, CVE-2025-29775 and CVE-2024-57965)

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to multiple vulnerabilities due to Node.js modules axios and xml-crypto. Vulnerability Details CVEID:CVE-2025-27152...

Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients using...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Apache CXF (CVE-2025-23184)

Summary There is a vulnerability in the Apache CXF library used by IBM WebSphere Application Server Liberty with the jaxws-2.2, xmlWS-3.0 or xmlWS-4.0 feature enabled. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin:...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by vulneralibity in netty-common-4.1.114.Final.jar

Summary IBM Connect:Direct Web Services uses netty Jar and is vulnerable to CVE-2024-47535 Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses prismjs-1.29.0.tgz which is vulnerable to CVE-2024-53382.

Summary IBM Maximo Application Suite - Manage Component uses prismjs-1.29.0.tgz which is vulnerable to CVE-2024-53382. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows DO...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses dompurify-3.2.3.tgz which is vulnerable to CVE-2025-26791.

Summary IBM Maximo Application Suite - Manage Component uses dompurify-3.2.3.tgz which is vulnerable to CVE-2025-26791. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-26791 DESCRIPTION: DOMPurify before 3.2.4 has an incorrect...

Security Bulletin: There is a vulnerability in vitest-2.1.8.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-24963,CVE-2025-24964)

Summary There is a vulnerability in vitest-2.1.8.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-24963 DESCRIPTION: Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and iFix Vulnerability Details CVEID:CVE-2024-30172 DESCRIPTION: The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling Secure Proxy. They are addressed in the latest release and iFix. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticated attacker with network...

Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to Reflected File Download (CVE-2024-43169)

Summary IBM Engineering Requirements Management DOORS Next is vulnerable to Reflected File Download CVE-2024-43169. Vulnerability Details CVEID:CVE-2024-43169 DESCRIPTION: IBM Engineering Requirements Management DOORS Next could allow a user to download a malicious file without verifying the...

Security Bulletin: Due to the Use Apache MINA Core, IBM App Connect Professional is vulnerable to Remote Code Execution

Summary Apache MINA Core is used by IBM App Connect Professional CVE-2024-52046 Vulnerability Details CVEID:CVE-2024-52046 DESCRIPTION: The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security...

Security Bulletin: Multiple vulnerabilities found in IBM EntireX.

Summary IBM EntireX has been updated in order to address multiple vulnerabilities. Vulnerability Details CVEID:CVE-2024-56812 DESCRIPTION: IBM EntireX could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 290 Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: VMware Tanzu Spring Framework could provide weaker than expected security, caused by a flaw related to...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to cross-site scripting (CVE-2025-0719)

Summary IBM Cloud Pak for Data is vulnerable to cross-site scripting. A reflected cross-site scripting XSS vulnerability has been identified on the /error endpoint, specifically with the 'error' parameter. This vulnerability allows an attacker to inject JavaScript code, which will be executed whe...

Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. IBM QRadar Data Synchronization App for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: jshttp cooki...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Mongoose

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Mongoose Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' CVSS...

Security Bulletin: Qiskit SDK Vulnerability Allows Remote Attackers to Cause Denial of Service via Maliciously Crafted QPY File

Summary A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process. Vulnerability Details...

Security Bulletin: Security vulnerabilities have been discovered in IBM Security Verify Bridge (CVE-2024-45673, CVE-2024-45674)

Summary Security vulnerabilities have been addressed in IBM Security Verify Bridge offering. Vulnerability Details CVEID:CVE-2024-45673 DESCRIPTION: IBM Security Verify Bridge stores user credentials in configuration files which can be read by a local user. CWE:CWE-260: Password in Configuration...

Security Bulletin: IBM MaaS360 Cloud Extender Agent, Configuration Utility and Mobile Enterprise Gateway (MEG) affected by multiple vulnerabilities (CVE-2024-21907, CVE-2023-39017, CVE-2024-40642, CVE-2015-2325)

Summary Vulnerabilities contained within newtonsoft.json 3rd party components were addressed in the IBM MaaS360 Cloud Extender Agent, Configuration Utility. Vulnerabilities contained within Netty 3rd party components were addressed in the IBM MaaS360 Mobile Enterprise Gateway MEG Module...

Security Bulletin: IBM Cognos Controller is affected by vulnerabilities

Summary There are vulnerabilities in IBM® Java™, IBM® Websphere Application Server Liberty and Open-Source Software OSS components used by IBM Cognos Controller. Additionally, IBM Cognos Controller has addressed vulnerabilities that could lead to Cross-Site Scripting XSSCVE-2024-28776, XML Extern...

Security Bulletin: IBM OpenPages fixes multiple vulnerabilities

Summary Multiple vulnerabilities with IBM OpenPages have been addressed in the latest IBM OpenPages fixpacks for both 9.0 and 8.3 versions. Vulnerability Details CVEID:CVE-2024-49355 DESCRIPTION: IBM OpenPages may write improperly neutralized data to server log files when the tracing is enabled p...

Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in OpenSSH and OpenSSL affect IBM Storage Virtualize products and could allow arbitrary code execution, authentication bypass and denial of service. CVE-2024-6387 CVE-2024-6409 CVE-2023-2975 CVE-2023-3446 CVE-2023-3817 CVE-2023-5678. Vulnerability Details CVEID:CVE-2024-63...

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2024-56463)

Summary IBM QRadar SIEM is vulnerable to cross-site scripting, which could allow a privileged user to embed arbitrary JavaScript code in the Web UI. This vulnerability has been addressed in the update. Vulnerability Details CVEID:CVE-2024-56463 DESCRIPTION: IBM QRadar SIEM is vulnerable to...

Security Bulletin: IBM App Connect Enterprise Certified Container DesigneAuthoring operands are vulnerable to cross-site scripting [CVE-2024-11831]

Summary Node.js module serialize-javascript is used by IBM App Connect Enterprise Certified Container DesignerAuthoring operands. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site scripting. This bulletin provides patch information to address t...

Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (February 2025)

Summary Multiple vulnerabilities have been addressed in IBM Data Virtualization on Cloud Pak for Data. Note that IBM Data Virtualization was named Watson Query in IBM Cloud Pak for Data version 4.6, 4.7, and 4.8. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: Node.js micromatch module is...

Security Bulletin: Vulnerability in restricted bash environment (CVE-2024-56477) affects Power HMC.

Summary The restricted bash environment is enabled in Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-56477 DESCRIPTION: IBM Hardware Management Console - Power could allow an authenticated user to traverse directories on the syste...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to command injection (CVE-2024-55904)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements. Vulnerability Details CVEID:CVE-2024-55904 DESCRIPTION: IBM DevOps Deploy / IBM...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a sensitive information disclosure (CVE-2024-54176)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function. Vulnerability Details CVEID:CVE-2024-54176 DESCRIPTION: IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1...

Security Bulletin: Multiple vulnerabilities found in IBM EntireX.

Summary IBM EntireX has been updated in order to address the multiple vulnerabilities CVE-2024-54171, CVE-2024-56467 & CVE-2025-0158. Vulnerability Details CVEID:CVE-2024-54171 DESCRIPTION: IBM EntireX is vulnerable to an XML external entity injection XXE attack when processing XML data. An...

Security Bulletin: Multiple Security Vulnerabilites were discovered in the IBM Verify Directory Server Container (CVE-2024-49814, CVE-2024-51450)

Summary Security Vulnerabilities have been addressed in the IBM Security Verify Directory Server Container. Vulnerability Details CVEID:CVE-2024-49814 DESCRIPTION: IBM Security Verify Access Appliance could allow a locally authenticated user to increase their privileges due to execution with...

Security Bulletin: Vulnerabilities in Flatpak affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerabilities in Flatpak has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-32462 DESCRIPTION: Flatpak could allow a local...

Security Bulletin: Multiple vulnerabilities found in IBM ApplinX.

Summary IBM ApplinX has been updated in order to address the multiple vulnerabilities. Vulnerability Details CVEID:CVE-2015-9251 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability usin...

Security Bulletin: IBM Aspera Shares is vulnerable to multiple medium vulnerabilities (CVE-2024-38317, CVE-2024-56470, CVE-2024-38316, CVE-2024-56473, CVE-2024-56472, CVE-2024-56471, CVE-2024-38318)

Summary This Security Bulletin addresses multiple medium severity vulnerabilities that have been remediated in IBM Aspera Shares 1.10.0 PL7. Vulnerability Details CVEID:CVE-2024-38317 DESCRIPTION: IBM Aspera Shares is vulnerable to cross-site scripting. This vulnerability allows a privileged user...

Security Bulletin: AIX is vulnerable to information disclosure (CVE-2024-13176) or arbitrary code execution or a denial of service (CVE-2024-9143) due to OpenSSL

Summary Vulnerabilities in OpenSSL could allow an attacker to recover a private key CVE-2024-13176 or execute arbitrary code or cause a denial of service CVE-2024-9143. OpenSSL is used by AIX as part of AIX's secure network communications. Vulnerability Details CVEID:CVE-2024-13176 DESCRIPTION:...

Security Bulletin: Security Vulnerabilities reported against IBM Verify Identity Access and IBM Security Verify Access

Summary Multiple Security Vulnerabilities were adressed in IBM Verify Identity Access and IBM Security Verify Access. Vulnerability Details CVEID:CVE-2024-45659 DESCRIPTION: IBM Security Verify Access Appliance could allow a remote attacker to obtain sensitive information when a detailed technica...

Security Bulletin: Vulnerability in GNOME libsoup affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in GNOME libsoup has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-52530 DESCRIPTION: GNOME libsoup is...

Security Bulletin: Vulnerabilities in GStreamer affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerabilities in GStreamer has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-47538 DESCRIPTION: GStreamer is a library fo...

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 12.0.8 LTS and 12.8.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities...

Security Bulletin: Security vulnerabilities discovered in IBM Security Directory Suite (CVE-2024-45650, CVE-2024-51540) have been addressed.

Summary Security vulnerabilities discovered in IBM Security Directory Suite have been addressed. Vulnerability Details CVEID:CVE-2024-45650 DESCRIPTION: IBM Security Verify Directory 10.0 through 10.0.3 is vulnerable to a denial of service when sending an LDAP extended operation. CWE:CWE-754:...

Security Bulletin: A vulnerability in jQuery affects IBM Robotic Process automation and could result in cross-site scripting (CVE-2024-30875).

Summary A vulnerability in jQuery affects IBM Robotic Process automation and could result in cross-site scripting. jQuery is used by IBM Robotic Process Automation as part of the Carbon UI framework. This bulletin identifies the fixes required to address the vulnerability. Vulnerability Details...

Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Information Disclosure (CVE-2024-45089)

Summary IBM Sterling B2B Integrator has addressed the information disclosure vulnerability Vulnerability Details CVEID:CVE-2024-45089 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an...

Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Cross-Site Scripting (CVE-2024-47116)

Summary IBM Sterling B2B Integrator has addressed the Cross-Site scripting vulnerability Vulnerability Details CVEID:CVE-2024-47116 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary...

Security Bulletin: The Dashboard of IBM Sterling B2B Integrator is Vulnerable to Cross-Site Scripting (CVE-2024-47103, CVE-2024-49807, CVE-204-40696)

Summary IBM Sterling B2B Integrator has addressed the cross-site scripting security vulnerability Vulnerability Details CVEID:CVE-2024-47103 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed...

Security Bulletin: The Dashboard of the IBM Sterling B2B Integrator is Vulnerable to Cross-Site Request Forgery (CVE-2023-38739)

Summary IBM Sterling B2B Integrator has addressed the Cross-Site request forgery security vulnerability Vulnerability Details CVEID:CVE-2023-38739 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site request forgery which could allow an attacker to execute malicio...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in rack-2.0.7.gem

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of rack-2.0.7.gem Vulnerability Details CVEID:CVE-2022-44572 DESCRIPTION: Rack is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw in the multipart parsing component...