5 matches found
CVE-2023-26550
CVE-2023-26550 affects BMC Control-M prior to 9.0.20.214. The vulnerability is a SQL injection in the memname JSON field that allows an attacker to execute arbitrary SQL commands. The issue is documented with a high severity (CVSS v3.1: 9.8/CRITICAL, network vector, no user interaction, no privil...
CVE-2024-1605
CVE-2024-1605 affects BMC Control-M branches 9.0.20 and 9.0.21. On user login, the app loads all DLLs from a directory that has write/read access for all users, allowing potentially malicious libraries to load and execute with the application’s privileges. The CVE details indicate the vulnerabili...
CVE-2023-39122
Summary: CVE-2023-39122 affects BMC Control-M ≤ 9.0.20.200, where an SQL injection is possible via the /RF-Server/report/deleteReport endpoint using the report-id parameter. The root cause is a SQL injection vulnerability in that API path. The issue is fixed in version 9.0.21, and is also mitigat...
CVE-2024-1606
CVE-2024-1606 describes a lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 that allows logged-in users to manipulate generated web pages by injecting HTML code, potentially enabling phishing via malicious links. The issue affects the web/UI layer and is caused by insufficien...
CVE-2024-1604
CVE-2024-1604 concerns BMC Control-M branches 9.0.20 and 9.0.21 where an improper authorization flaw in the report management/creation module allows logged-in users to read and alter any report without proper permissions, given knowledge of the report identifier. Impact is limited to unauthorized...