The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of IBM API Connect

computer vulnerability alert CVE-2019-6341

Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-2009

IBM API Connect: information disclosure via Consumer API

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Consumer API of IBM API Connect, in order to obtain sensitive information.
Impacted products: IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 12/03/2019.
Identifiers: CVE-2018-2009, ibm10794327, VIGILANCE-VUL-28717.

Description of the vulnerability

An attacker can bypass access restrictions to data via Consumer API of IBM API Connect, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-8331

Pivotal Ops Manager: Cross Site Scripting via Bootstrap

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Impacted products: IBM API Connect, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 08/03/2019.
Identifiers: CVE-2019-8331, ibm10879483, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-28700.

Description of the vulnerability

The Pivotal Ops Manager product offers a web service.

However, it does not filter received data via Bootstrap before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 28683

Drupal EU Cookie Compliance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive, IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 07/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-033, ibm10878775, VIGILANCE-VUL-28683.

Description of the vulnerability

The EU Cookie Compliance module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-1002100

Kubernetes: infinite loop via API Server json-patch

Synthesis of the vulnerability

An attacker can trigger an infinite loop via API Server json-patch of Kubernetes, in order to trigger a denial of service.
Impacted products: IBM API Connect, I-Connect, Kubernetes.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: CVE-2019-1002100, ibm10879473, VIGILANCE-VUL-28640.

Description of the vulnerability

An attacker can trigger an infinite loop via API Server json-patch of Kubernetes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-14041

Bootstrap: Cross Site Scripting via Scrollspy Data-target Property

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Scrollspy Data-target Property of Bootstrap, in order to run JavaScript code in the context of the web site.
Impacted products: IBM API Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/12/2018.
Identifiers: CVE-2018-14041, ibm10880955, VIGILANCE-VUL-28036.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via Scrollspy Data-target Property of Bootstrap, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14040

Bootstrap: Cross Site Scripting via Collapse

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Collapse of Bootstrap, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, IBM API Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/08/2018.
Identifiers: CVE-2018-14040, DLA-1479-1, ibm10880955, VIGILANCE-VUL-27088.

Description of the vulnerability

The Bootstrap product offers a web service.

However, it does not filter received data via Collapse before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Collapse of Bootstrap, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about IBM API Connect: