Ibm Security Verify Access vulnerabilities

CVE-2024-45657 [MEDIUM] CWE-732 CVE-2024-45657: IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privile IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

CVE-2024-40700 [MEDIUM] CWE-79 CVE-2024-40700: IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE-2024-45647 [MEDIUM] CWE-620 CVE-2024-45647: IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 throug IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.

CVE-2024-49805 [CRITICAL] CWE-798 CVE-2024-49805: IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such a IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CVE-2024-49806 [CRITICAL] CWE-798 CVE-2024-49806: IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such a IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CVE-2024-49803 [CRITICAL] CWE-78 CVE-2024-49803: IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attack IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

CVE-2024-49804 [HIGH] CWE-250 CVE-2024-49804: IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a locally authenticated non IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a locally authenticated non-administrative user to escalate their privileges due to unnecessary permissions used to perform certain tasks.

CVE-2024-35133 [MEDIUM] CWE-601 CVE-2024-35133: IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated at IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site t

CVE-2022-32759 [MEDIUM] CWE-613 CVE-2022-32759: IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses ins IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.

CVE-2024-28772 [MEDIUM] CWE-79 CVE-2024-28772: IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulne IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 2856

CVE-2023-30430 [MEDIUM] CWE-532 CVE-2023-30430: IBM Security Verify Access 10.0.0 through 10.0.7.1 could allow a local user to obtain sensitive info IBM Security Verify Access 10.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from trace logs. IBM X-Force ID: 252183.

CVE-2024-31883 [MEDIUM] CWE-703 CVE-2024-31883: IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an u IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption. IBM X-Force ID: 287615.

CVE-2024-31873 [HIGH] CWE-798 CVE-2024-31873: IBM Security Verify Access Appliance 10.0.0 through 10.0.7 contains hard-coded credentials which it IBM Security Verify Access Appliance 10.0.0 through 10.0.7 contains hard-coded credentials which it uses for its own inbound authentication that could be obtained by a malicious actor. IBM X-Force ID: 287317.

CVE-2024-31871 [HIGH] CWE-295 CVE-2024-31871: IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. IBM X-Force ID: 287306.

CVE-2024-31872 [HIGH] CWE-295 CVE-2024-31872: IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation. IBM X-Force ID: 287316.

CVE-2024-31874 [MEDIUM] CWE-457 CVE-2024-31874: IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deployi IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.

CVE-2024-28787 [HIGH] CWE-650 CVE-2024-28787: IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 cou IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request. IBM X-Force ID: 286584.

CVE-2024-25027 [MEDIUM] CWE-311 CVE-2024-25027: IBM Security Verify Access 10.0.6 could disclose sensitive snapshot information due to missing encry IBM Security Verify Access 10.0.6 could disclose sensitive snapshot information due to missing encryption. IBM X-Force ID: 281607.

CVE-2023-32330 [HIGH] CWE-295 CVE-2023-32330: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacke IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server. IBM X-Force ID: 254977.

CVE-2023-32328 [HIGH] CWE-319 CVE-2023-32328: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.