IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. [CVSS 6.5 MEDIUM]
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).
HPE Aruba Networking 5G Core API error handling exposes sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Successful exploitation enables attackers to gather intelligence on internal services and workflows, creating a foundation for further attacks targeting unauthorized access and privilege escalation. A patch is available.
HPE Aruba Networking 5G Core API error handling leaks sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Exposed internal service details can be leveraged to identify attack vectors for privilege escalation and unauthorized access. A patch is available.
Missing Authorization vulnerability in Paul Custom Content by Country (by Shield Security) custom-content-by-country.This issue affects Custom Content by Country (by Shield Security): from n/a through 3.1.2. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]
Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 6.5 MEDIUM]
IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]
Security Qradar Edr versions up to 3.12.23 is affected by insufficient session expiration (CVSS 6.3).
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]
The Beetel 777VR1 router's SSH/Telnet service contains insecure default initialization that allows local network attackers to achieve partial compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not released patches despite early notification. Affected devices running firmware version 01.00.09 and earlier require isolation from untrusted local networks until a security update becomes available.
from 3.0.0 to 3.3.1 versions up to 3.5.0. is affected by missing authentication for critical function (CVSS 6.1).
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]
Concert versions up to 2.1.0 contains a vulnerability that allows attackers to obtain sensitive information using man in the middle techniques due to improper (CVSS 5.9).
IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. [CVSS 5.9 MEDIUM]
Concert versions up to 2.1.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.9).
Db2 Recovery Expert versions up to 5.5.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).
A weakness has been identified in jishi node-sonos-http-ap versions up to 3776 is affected by command injection (CVSS 7.3).
SQL injection in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0 via the PGUID parameter in AsyncTreeProxy.aspx allows unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability and no patch is currently available from the vendor.
SQL injection in Huace Monitoring and Early Warning System 2.2 via the ID parameter in /Web/SysManage/ProjectRole.aspx allows unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker can exploit this to read, modify, or delete sensitive data from the affected system.
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).
IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]
Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.
Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.
IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. [CVSS 5.4 MEDIUM]
Unauthenticated attackers can upload arbitrary image files to WordPress sites running EventPrime plugin versions up to 4.2.8.4 through an unprotected AJAX endpoint that lacks proper authentication checks. This vulnerability allows unauthorized file uploads to the media library, potentially enabling further attacks such as stored XSS or malicious file distribution. No patch is currently available.
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 discloses sensitive information in an environment variable that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
Db2 versions up to 12.1.3 contains a vulnerability that allows attackers to an authenticated user to obtain sensitive information under specific HADR config (CVSS 5.3).
Sterling B2B Integrator versions up to 6.1.2.7 is affected by error message information leak (CVSS 4.9).
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 4.7 MEDIUM]
IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings. [CVSS 4.4 MEDIUM]
Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. [CVSS 4.3 MEDIUM]
Page Builder Toolkit for Gutenberg Editor versions up to 3.5.32. is affected by missing authorization (CVSS 4.3).
IBM MQ Operator (SC2 v3.2.0-3.8.1, LTS v2.0.0-2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x-9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. [CVSS 4.0 MEDIUM]
Watsonx.Data versions up to 2.2.1 is affected by unrestricted upload of file with dangerous type (CVSS 3.8).
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]
Edge Chromium contains a vulnerability that allows attackers to disclosure of stored autofill data such as addresses, email, or phone number met (CVSS 3.1).
SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.