Ibm I vulnerabilities

CVE-2023-30990 [CRITICAL] CWE-94 CVE-2023-30990: IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused b IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.

CVE-2023-23470 [HIGH] CWE-89 CVE-2023-23470: IBM i 7.2, 7.3, 7.4, and 7.5 could allow an authenticated privileged administrator to gain elevated IBM i 7.2, 7.3, 7.4, and 7.5 could allow an authenticated privileged administrator to gain elevated privileges in non-default configurations, as a result of improper SQL processing. By using a specially crafted SQL operation, the administrator could exploit the vulnerability to perform additional administrator operations. IBM X-Force ID: 244510.

CVE-2022-43860 [MEDIUM] CWE-89 CVE-2022-43860: IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive informat IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information they are authorized to but not while using this interface. By performing an SQL injection an attacker could see user profile attributes through this interface. IBM X-Force ID: 239305.

CVE-2022-43859 [MEDIUM] CWE-89 CVE-2022-43859: IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive informat IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface. IBM X-Force ID: 239304.

CVE-2022-43858 [MEDIUM] CWE-22 CVE-2022-43858: IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to access the file system an IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to access the file system and download files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks by modifying a parameter thereby gaining access to their files through this interface. IBM X-Force ID: 239303.

CVE-2022-43857 [MEDIUM] CWE-22 CVE-2022-43857: IBM Navigator for i 7.3, 7.4 and 7.5 could allow an authenticated user to access IBM Navigator for i IBM Navigator for i 7.3, 7.4 and 7.5 could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter. IBM X-Force ID: 239301.

CVE-2022-40746 [MEDIUM] CWE-77 CVE-2022-40746: IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticate IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. I

CVE-2022-34358 [MEDIUM] CWE-79 CVE-2022-34358: IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230516.

CVE-2022-22495 [HIGH] CWE-89 CVE-2022-22495: IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection. A remote attacker could send specially craft IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 226941.

CVE-2022-22481 [MEDIUM] CVE-2022-22481: IBM Navigator for i 7.2, 7.3, and 7.4 (heritage version) could allow a remote attacker to obtain acc IBM Navigator for i 7.2, 7.3, and 7.4 (heritage version) could allow a remote attacker to obtain access to the web interface without valid credentials. By modifying the sign on request, an attacker can gain visibility to the fully qualified domain name of the target system and the navigator tasks page, however they do not gain the ability to perform those t

CVE-2021-39056 [MEDIUM] CVE-2021-39056: The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (EDRSQL) could allow a remote au The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (EDRSQL) could allow a remote authenticated user to send a specially crafted request and cause a denial of service. IBM X-Force ID: 214537.

CVE-2021-38876 [MEDIUM] CWE-79 CVE-2021-38876: IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to em IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208404.

CVE-2021-3820 [HIGH] CWE-1333 inflect vulnerable to Inefficient Regular Expression Complexity inflect vulnerable to Inefficient Regular Expression Complexity inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity

CVE-2021-20501 [HIGH] CVE-2021-20501: IBM i 7.1, 7.2, 7.3, and 7.4 SMTP allows a network attacker to send emails to non-existent local-dom IBM i 7.1, 7.2, 7.3, and 7.4 SMTP allows a network attacker to send emails to non-existent local-domain recipients to the SMTP server, caused by using a non-default configuration. An attacker could exploit this vulnerability to consume unnecessary network bandwidth and disk space, and allow remote attackers to send spam email. IBM X-Force ID: 198056.

CVE-2020-4345 [LOW] CWE-89 CVE-2020-4345: IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a specific set of circumstances m IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a specific set of circumstances may allow a local user to obtain sensitive information that they should not have access to. IBM X-Force ID: 178318.

CVE-2019-4450 [MEDIUM] CWE-79 CVE-2019-4450: IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. This vulnerability allows users IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163492.

CVE-2019-4536 [MEDIUM] CWE-269 CVE-2019-4536: IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configur IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the re

CVE-2019-4381 [MEDIUM] CWE-255 CVE-2019-4381: IBM i 7.27.3 Clustering could allow a local attacker to obtain sensitive information, caused by the IBM i 7.27.3 Clustering could allow a local attacker to obtain sensitive information, caused by the use of advanced node failure detection using the REST API to interface with the HMC. An attacker could exploit this vulnerability to obtain HMC credentials. IBM X-Force ID: 162159.

CVE-2019-4040 [MEDIUM] CWE-79 CVE-2019-4040: IBM I 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed ar IBM I 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 156164.

CVE-2017-1460 [HIGH] CWE-20 CVE-2017-1460: IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router spoofs its origin. Routing table IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router spoofs its origin. Routing tables are affected by a missing LSA, which may lead to loss of connectivity. IBM X-Force ID: 128379.