Ibm Cognos Analytics vulnerabilities

CVE-2020-4561 [CRITICAL] CWE-829 CVE-2020-4561: IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthentica IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

CVE-2019-4723 [HIGH] CWE-522 CVE-2019-4723: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force ID: 172129.

CVE-2019-4724 [HIGH] CWE-522 CVE-2019-4724: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID: 172130.

CVE-2020-4300 [HIGH] CWE-611 CVE-2020-4300: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack wh IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 176607.

CVE-2020-4520 [HIGH] CWE-79 CVE-2020-4520: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. IBM X-Force ID: 182395.

CVE-2019-4730 [HIGH] CWE-611 CVE-2019-4730: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack wh IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172533.

CVE-2019-4471 [MEDIUM] CWE-311 CVE-2019-4471: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, ca IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 163780.

CVE-2019-4653 [MEDIUM] CWE-79 CVE-2019-4653: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170964.

CVE-2019-4722 [MEDIUM] CWE-755 CVE-2019-4722: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information via IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information via a stack trace due to mishandling of certain error conditions. IBM X-Force ID: 172128.

CVE-2020-4354 [MEDIUM] CWE-79 CVE-2020-4354: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178506.

CVE-2020-4388 [HIGH] CWE-755 CVE-2020-4388: IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to c IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to catch exceptions in a servlet also exposing debug information could also be used in future attacks. IBM X-Force ID: 179270.

CVE-2020-4302 [HIGH] CWE-1236 CVE-2020-4302: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the sy IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176610.

CVE-2020-4377 [CRITICAL] CWE-611 CVE-2020-4377: IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack whe IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.

CVE-2019-4366 [MEDIUM] CVE-2019-4366: IBM Cognos Analytics 11.0 and 11.1 is susceptible to an information disclosure vulnerability where a IBM Cognos Analytics 11.0 and 11.1 is susceptible to an information disclosure vulnerability where an attacker could gain access to cached browser data. IBM X-Force ID: 161748.

CVE-2019-4589 [MEDIUM] CWE-269 CVE-2019-4589: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.

CVE-2019-4729 [MEDIUM] CWE-209 CVE-2019-4729: IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information whe IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 172519.

CVE-2019-4343 [MEDIUM] CWE-863 CVE-2019-4343: IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which coul IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that should be restricted. IBM X-Force ID: 161422.

CVE-2019-4623 [MEDIUM] CWE-79 CVE-2019-4623: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168924.

CVE-2019-4555 [MEDIUM] CWE-79 CVE-2019-4555: IBM Cognos Analytics 11.0 and 11.0 is vulnerable to cross-site scripting. This vulnerability allows IBM Cognos Analytics 11.0 and 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166204.

CVE-2019-4231 [MEDIUM] CWE-352 CVE-2019-4231: IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356.