Devops Plan
Monthly
HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.
IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system. [CVSS 6.2 MEDIUM]
Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).
HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.
IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system. [CVSS 6.2 MEDIUM]
Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).