The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of IBM API Connect

computer vulnerability 29635

Drupal Advanced Forum: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Advanced Forum, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive, IBM API Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 27/06/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-054, ibm10960880, VIGILANCE-VUL-29635.

Description of the vulnerability

The Advanced Forum module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Advanced Forum, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-1858

IBM API Connect: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of IBM API Connect, in order to force the victim to perform operations.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 26/06/2019.
Identifiers: CVE-2018-1858, ibm10794169, VIGILANCE-VUL-29627.

Description of the vulnerability

The IBM API Connect product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of IBM API Connect, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-11246

Kubernetes: directory traversal via kubectl cp

Synthesis of the vulnerability

An attacker can traverse directories via kubectl cp of Kubernetes, in order to read a file outside the service root path.
Impacted products: Fedora, IBM API Connect, Kubernetes.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 21/06/2019.
Identifiers: CVE-2019-11246, FEDORA-2019-2b8ef08c95, ibm10960606, VIGILANCE-VUL-29589.

Description of the vulnerability

An attacker can traverse directories via kubectl cp of Kubernetes, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-4382

IBM API Connect: information disclosure via LoopBack

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via LoopBack of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 17/06/2019.
Identifiers: CVE-2019-4382, ibm10886747, VIGILANCE-VUL-29539.

Description of the vulnerability

An attacker can bypass access restrictions to data via LoopBack of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-2011

IBM API Connect: information disclosure via HTTP Request

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via HTTP Request of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 13/06/2019.
Identifiers: CVE-2018-2011, ibm10882932, VIGILANCE-VUL-29528.

Description of the vulnerability

An attacker can bypass access restrictions to data via HTTP Request of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-2013

IBM API Connect: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 13/06/2019.
Identifiers: CVE-2018-2013, ibm10882924, VIGILANCE-VUL-29527.

Description of the vulnerability

An attacker can bypass access restrictions to data of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-4256

IBM API Connect: weak encryption

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on IBM API Connect, in order to read or write data in the session.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 23/05/2019.
Identifiers: CVE-2019-4256, ibm10882968, VIGILANCE-VUL-29391.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle on IBM API Connect, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-1991

IBM API Connect: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 20/05/2019.
Identifiers: CVE-2018-1991, ibm10871970, VIGILANCE-VUL-29358.

Description of the vulnerability

An attacker can bypass access restrictions to data of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-10531

Node.js marked: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js marked, in order to run JavaScript code in the context of the web site.
Impacted products: IBM API Connect, Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 30/04/2019.
Identifiers: CVE-2016-10531, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, ibm10885478, VIGILANCE-VUL-29158.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js marked, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-3721

Node.js lodash: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Node.js lodash, in order to escalate his privileges.
Impacted products: IBM API Connect, Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 30/04/2019.
Identifiers: CVE-2018-3721, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, ibm10885478, VIGILANCE-VUL-29157.

Description of the vulnerability

An attacker can bypass restrictions of Node.js lodash, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about IBM API Connect: