The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of I-Connect

vulnerability alert CVE-2019-4052

IBM API Connect: information disclosure via Login Ids

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Login Ids of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 21/03/2019.
Identifiers: CVE-2019-4052, ibm10874248, VIGILANCE-VUL-28791.

Description of the vulnerability

An attacker can bypass access restrictions to data via Login Ids of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-6341

Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-2009

IBM API Connect: information disclosure via Consumer API

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Consumer API of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 12/03/2019.
Identifiers: CVE-2018-2009, ibm10794327, VIGILANCE-VUL-28717.

Description of the vulnerability

An attacker can bypass access restrictions to data via Consumer API of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 28683

Drupal EU Cookie Compliance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive, IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 07/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-033, ibm10878775, VIGILANCE-VUL-28683.

Description of the vulnerability

The EU Cookie Compliance module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-1002100

Kubernetes: infinite loop via API Server json-patch

Synthesis of the vulnerability

An attacker can trigger an infinite loop via API Server json-patch of Kubernetes, in order to trigger a denial of service.
Impacted products: IBM API Connect, I-Connect, Kubernetes.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: CVE-2019-1002100, ibm10879473, VIGILANCE-VUL-28640.

Description of the vulnerability

An attacker can trigger an infinite loop via API Server json-patch of Kubernetes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-0963

IBM GSKit: infinite loop of SSL

Synthesis of the vulnerability

An attacker can send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service.
Impacted products: DB2 UDB, Domino, I-Connect, Informix Server, Notes, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 20/05/2014.
Identifiers: 1610582, 1671732, 1672724, 1673008, 1673018, 1673666, 1673696, 1674047, 1674824, 1674825, 1681114, 7042179, CVE-2014-0963, VIGILANCE-VUL-14775.

Description of the vulnerability

The IBM Global Security Kit (GSKit) suite implements the support of SSL/TLS for several IBM applications.

However, some SSL messages generate an infinite loop in GSKit.

An attacker can therefore send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.