79 matches found
CVE-2018-1932
IBM API Connect 5.0.0.0–5.0.8.4 is affected by a vulnerability in the role‑based access control of the management server that could allow an authenticated user to obtain highly sensitive information. The CVSS 3.0 vector is CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N with a base score of 4.9 (MED...
CVE-2018-2011
CVE-2018-2011 affects IBM API Connect 2018.1–2018.4.1.5, where a specially crafted HTTP request could disclose sensitive information and aid further attacks. The issue is documented with a CVSS v3.1 base score of 5.3 (NETWORK, LOW attack complexity, NONE privileges, confidentiality impact LOW) an...
CVE-2019-4382
IBM API Connect 5.0.0.0–5.0.8.6 contains an information-disclosure vulnerability (CVE-2019-4382) that could allow an unauthenticated user to obtain sensitive information about system users via specially crafted HTTP requests. The issue affects the LoopBack component and is rated with CVSSv3 base ...
CVE-2018-1858
IBM API Connect 5.0.0.0–5.0.8.6 is affected by CVE-2018-1858, a cross-site request forgery that could allow an attacker to perform malicious, unauthorized actions transmitted from a trusted user. The remediation, per IBM, is to upgrade to V5.0.8.6 iFix 2 (5.0.8.6 iFix 2). Public CVSS scores vary ...
CVE-2018-2013
CVE-2018-2013 affects IBM API Connect 2018.1–2018.4.1.5, where an information disclosure vulnerability could allow an unauthorized user to obtain sensitive data and aid further attacks. The CVSS base score is 5.3 (3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) per IBM/X-Force data, with NVD citing a ne...
CVE-2016-1000232
CVE-2016-1000232 affects the Node.js tough-cookie module: vulnerable in version 2.2.2 due to a Regular Expression Parsing DoS in HTTP Cookie header processing when parsing large headers. The issue could be triggered by a sufficiently large Cookie header. It has been fixed in 2.3.0; remediation is...
CVE-2021-38997
IBM API Connect is affected by CVE-2021-38997 through multiple version ranges: 10.0.0.0–10.0.5.0, 10.0.1.0–10.0.1.7, and 2018.4.1.0–2018.4.1.19. The root cause is improper validation of input in the HOST header, leading to HTTP header injection. Reported impacts include cross-site scripting, cach...
CVE-2019-4600
CVE-2019-4600 is an information-disclosure vulnerability in IBM API Connect, affecting versions 5.0.0.0 through 5.0.8.7. A specially crafted HTTP request could reveal sensitive information. According to IBM’s security bulletin, the issue impacts the Developer Portal in API Connect and is addresse...
CVE-2020-4707
The CVE-2020-4707 issue affects IBM API Connect Web UI in versions 5.0.0.0 through 5.0.8.11, where lack of proper validation allows stored or reflected cross-site scripting that can cause arbitrary JavaScript execution, potentially leading to credential disclosure within a trusted session. The vu...
CVE-2019-4203
The CVE-2019-4203 issue affects IBM API Connect Developer Portal (versions 5.0.0.0–5.0.8.6). The root cause allows app developers to download arbitrary files from the host OS and may enable SSRF attacks. Impact is described as potential exposure of files with high integrity/availability concerns....
CVE-2019-4202
The CVE-2019-4202 issue affects IBM API Connect, specifically the Developer Portal in versions 5.0.0.0 through 5.0.8.6. The root cause is a command-injection vulnerability arising from inadequate filtering during the construction of executable commands, allowing a remote attacker to craft a reque...
CVE-2019-4256
IBM API Connect is affected by CVE-2019-4256 for versions 5.0.0.0 through 5.0.8.6, where weaker cryptographic algorithms could allow decryption of highly sensitive information. The issue specifically affects the cryptographic implementation in API Connect. The recommended remediation is to upgrad...
CVE-2023-28522
CVE-2023-28522 affects IBM API Connect V10 and is an improper access control vulnerability that could allow an authenticated user to perform actions they should not have access to. The IBM Security Bulletin (and related entries) confirm the issue in API Connect V10.x and provide remediation paths...
CVE-2022-34350
CVE-2022-34350 – IBM API Connect is affected by an External Service Interaction vulnerability caused by improper validation of user-supplied input. Affected versions: 10.0.0.0–10.0.5.0, 10.0.1.0–10.0.1.7, and 2018.4.1.0–2018.4.1.20. The issue can induce the application to perform server-side DNS ...
CVE-2017-1785
CVE-2017-1785 affects IBM API Connect 5.0.7.0–5.0.7.2 and 5.0.8.0–5.0.8.1. An authenticated remote user could modify query parameters to obtain sensitive information, indicating an information-disclosure vulnerability in the API Portal. The IBM Security Bulletin notes remediation in V5.0.8.2 (API...
CVE-2018-1784
The CVE-2018-1784 entry affects IBM API Connect 5.0.0.0–5.0.8.4 due to a NoSQL Injection in the MongoDB connector for the LoopBack framework. Affected component: LoopBack MongoDB connector; root cause: NoSQL injection vulnerability. Impact notes from sources indicate high severity (CVSSv3 base sc...
CVE-2018-1991
IBM API Connect 5.0.0.0–5.0.8.6 is affected by an information-disclosure vulnerability (CVE-2018-1991) that could reveal sensitive information about the underlying software stack via CMC UI headers. The root cause is a disclosure in requests/responses that exposes internal details. Affected produ...
CVE-2018-1789
CVE-2018-1789 : IBM API Connect v2018.1.0–v2018.3.4 is affected by a Server-Side Request Forgery (SSRF) in its proxy service. The vulnerability allows a crafted request to reach unintended internal resources. IBM’s bulletin lists affected versions and reinforces an upgrade path to mitigate: remed...
CVE-2019-4155
CVE-2019-4155 affects IBM API Connect’s Developer Portal (versions 2018.1–2018.4.1.3). The privilege escalation vulnerability arises when the portal is integrated with an OpenID Connect (OIDC) user registry. IBM’s security bulletin confirms the issue and lists the affected VRMF: 2018.1–2018.4.1.3...
CVE-2017-1386
CVE-2017-1386 affects IBM API Connect 5.0.0.0 (and related product versions) where a user could bypass password policy and create non‑compliant passwords that might be intercepted and decrypted via man‑in‑the‑middle techniques. The IBM Security Bulletin details affected ranges: API Connect 5.0.0....
CVE-2019-4052
CVE-2019-4052 affects IBM API Connect versions 2018.1–2018.4.1.2. The vulnerability allows unauthenticated users to discover login IDs of registered users via API access, constituting an information-disclosure flaw. IBM’s IBMX-Force/NVD entries confirm an impact on login-id exposure with CVSS v3....
CVE-2019-4402
Summary: CVE-2019-4402 affects IBM API Connect Developer Portal versions 2018.1–2018.4.1.6. An unauthorized user could cause a DoS via an unprotected API. The vulnerability’s remediation is IBM API Connect v2018.4.1.7 and later fixes for the portal package. The public sources in the connected doc...
CVE-2018-1778
CVE-2018-1778 (IBM API Connect / LoopBack) affects IBM API Connect versions 2018.1 through 2018.4.1 and 5.0.8.0 through 5.0.8.4. The vulnerability arises when the AccessToken model is exposed via a REST API, enabling an attacker to create an access token for any user who has a known userId, poten...
CVE-2018-2007
CVE-2018-2007 affects IBM API Connect (2018.1 and 2018.4.1.2) where weaker-than-expected cryptographic algorithms could allow an attacker to decrypt highly sensitive information. The bulletin lists affected versions as IBM API Connect | 5.0.0.0–5.0.8.5, with remediation in VRMF 5.0.8.6 fixpack (L...
CVE-2019-4437
IBM API Connect 2018.1–2018.4.1.6 contains an information-disclosure vulnerability where sensitive details about internal servers and networks can be exposed via the API Swagger portal. The root cause is addressed in fixpack 2018.4.1.7 for the API Connect 2018.x line (management server fix). Affe...
CVE-2019-4609
CVE-2019-4609 affects IBM API Connect 2018.4.1.7, where weaker-than-expected cryptographic algorithms could allow an attacker to decrypt highly sensitive information. The vulnerability stems from usage of insufficient cryptography, potentially impacting confidentiality. Public references confirm ...
CVE-2017-1551
Summary: CVE-2017-1551 affects IBM API Connect 5.0.0.0–5.0.6.3 and 5.0.7.0–5.0.7.2. A remote attacker could entice a victim to visit a malicious site to hijack the victim’s click actions (Cross Frame Scripting). Impact (as stated): potential to hijack click-to-action with possible further attacks...
CVE-2017-1556
CVE-2017-1556 affects IBM API Connect versions 5.0.7.0–5.0.7.2. The vulnerability is a regular expression attack that could allow an authenticated attacker to provide inputs via regex to slow down or hang the system. IBM’s security bulletin notes the affected product and versions, with a fixed re...
CVE-2018-1774
IBM API Connect is vulnerable to CSV Injection in the Developer Portal and analytics for versions 5.0.0.0–5.0.8.4 and 2018.1–2018.3.6. The underlying issue enables execution of malicious commands when opened by an administrator. Affected components include the Management server (iFix LI80404) and...
CVE-2018-1779
CVE-2018-1779 affects IBM API Connect 2018.1 through 2018.3.7, where the management service could be overwhelmed by unauthenticated requests containing large JSON payloads due to insufficient JSON size limits. The vulnerability can cause a denial of service, as the server may allocate excessive r...
CVE-2020-4452
CVE-2020-4452 affects IBM API Connect versions 2018.4.1.0–2018.4.1.11, where weak cryptographic algorithms could allow an attacker to decrypt highly sensitive information. Root cause: use of weaker-than-expected cryptography. Impact: disclosure of sensitive data. Remediation: IBM fixed in 2018.4....
CVE-2020-4706
IBM API Connect (5.0.0.0–5.0.8.10) is affected by CVE-2020-4706, an HTTP Host header injection vulnerability caused by insufficient validation of input in the HOST header. A remote attacker could craft a request to inject the HOST header, enabling cross-site scripting, cache poisoning, or session...
CVE-2021-20440
Summary of CVE-2021-20440 (IBM API Connect) : The vulnerability allows an attacker who is a valid user in the API Manager’s user registry to use a stolen invitation link to register as a member of an API provider organization, due to insufficient restriction of recipient scope. Affected products/...
CVE-2017-1379
IBM API Connect 5.0.0.0–5.0.7.1 is affected by CVE-2017-1379, an information disclosure vulnerability caused by improper handling of Developer Portal requests. Remote attacker could obtain sensitive information. IBM’s bulletin lists affected versions and provides remediation via iFixes containing...
CVE-2018-1468
CVE-2018-1468 affects IBM API Connect 5.0.8.1–5.0.8.2, enabling a user to access internal environments and sensitive API details to which they are not authorized. The vulnerability is an information-disclosure issue with CVSSv3 base score 4.3 (vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)...
CVE-2018-1599
CVE-2018-1599 affects IBM API Connect 5.0.0.0 through 5.0.8.3, allowing a remote attacker to hijack a victim’s clicking actions by enticing them to a malicious website (clickjacking). IBM’s bulletin confirms exposure for IBM API Connect versions 5.0.0.0–5.0.8.4 and 2018.1–2018.3.4, with remediati...
CVE-2018-1712
IBM API Connect Developer Portal versions 5.0.0.0–5.0.8.3 are vulnerable to Server-Side Request Forgery (SSRF). The vulnerability arises from input parameters that can cause the server to issue requests inside the trusted network. IBM’s Security Bulletin confirms remediation in Version 5.0.8.3 iF...
CVE-2018-2009
IBM API Connect v2018.1–2018.4.1 is affected by an information-disclosure vulnerability in the consumer API. Any registered user can enumerate other users across all orgs, including email IDs and names. The CVE-2018-2009 issue has CVSSv3 base score 6.5 (confidentiality impact: HIGH). Affected ver...
CVE-2020-4826
CVE-2020-4826 affects IBM API Connect: vulnerable in IBM API Connect 10.0.0.0–10.0.1.0 and 2018.4.1.0–2018.4.1.13, due to a cross-site request forgery flaw. The CVSS v3 base score is 4.3 (MEDIUM). Remediation is available: fixed in IBM API Connect 2018.4.1.15 and 10.0.1.1 (LI81760) per IBM bullet...
CVE-2016-3012
IBM API Connect (APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes internal server credentials in the toolkit, which could allow remote attackers to bypass access restrictions by using those credentials. Affected products include IBM API Connect with the specified pre‑fix versions. The vu...
CVE-2018-1973
CVE-2018-1973 affects IBM API Connect 5.0.0.0–5.0.8.4. A user with limited API Administrator rights can elevate to full Administrator access via the members functionality. CVSS v3 base score 7.2 (HIGH); vectors: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Remediation: patch in V5.0.8.5 (fixpack) per IBM...
CVE-2023-47722
IBM API Connect vulnerability CVE-2023-47722 affects API Connect versions 10.0.5.3 and 10.0.6.0, where user credentials are stored in the browser cache and can be read by a local user. The issue is described in IBM security advisories and Red Hat/NVD entries, with a base CVSS v3.1 score of 5.5–6....
CVE-2017-1322
CVE-2017-1322 affects IBM API Connect 5.0.6.0 (and related versions) with an XML External Entity Injection (XXE) when processing XML data. Root cause: XXE vulnerability in XML parsing that can disclose sensitive information and consume memory/resources. Affected versions include 5.0.6.0; CNVD not...
CVE-2017-1555
CVE-2017-1555 affects IBM API Connect 5.0.0.0 through 5.0.7.2, where an authenticated user could generate an API token without being subscribed to the application plan. The NVD entry records CVSS v3.0 base score 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). IBM’s security bulletin confirms the vulne...
CVE-2018-1546
IBM API Connect versions 5.0.0.0–5.0.8.3 are affected by CVE-2018-1546 due to failure to properly enable HTTP Strict Transport Security. This can lead to information disclosure via a man-in-the-middle. CVSS v3 base score is 5.9 (Network, High attack complexity, Privileges NONE, User interaction N...
CVE-2019-4008
CVE-2019-4008 affects IBM API Connect V2018.1–2018.4.1.1. The issue is an access token leak where authorization tokens in some URLs could be written to log files, enabling disclosure of credentials. Affected product: IBM API Connect (API Management) 2018.x. Root cause: tokens exposed via logging ...
CVE-2021-29715
IBM API Connect 5.0.0.0–5.0.8.11 is affected by CVE-2021-29715, a remote-information-disclosure and denial-of-service issue caused by open ports. A remote attacker could obtain sensitive information or disrupt service. IBM’s bulletin confirms remediation by upgrading to V5.0.8.12 (and provides th...
CVE-2017-1328
IBM API Connect 5.0.0.0–5.0.6.2 contains a security bypass vulnerability (CVE-2017-1328) caused by improper handling of security policy, allowing remote attackers to access APIs without valid credentials. The IBM Security Bulletin documents the affected product and versions, the root cause, and t...
CVE-2018-1548
CVE-2018-1548 affects IBM API Connect 2018.1.0.0, 2018.2.1, 2018.2.2, 2018.2.3, and 2018.2.4, causing information disclosure to an authenticated user. The connected documents confirm the vulnerable product and versions, and state that the vulnerability could allow access to sensitive information....
CVE-2018-1874
CVE-2018-1874 affects IBM API Connect versions 5.0.0.0–5.0.8.5 and could display highly sensitive information to an attacker with physical access, due to an information-disclosure path exposed by insecure caching. The vulnerability is documented with a CVSS v3 base score of 4.6 (MEDIUM) and a CVS...