dsmtca in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 22.214.171.124, 6.4 before 126.96.36.199, and 7.1 before 188.8.131.52 does not properly restrict shared-library loading, which allows local users to gain privileges via a crafted DSO file.
Directory traversal vulnerability in IBM Optim Performance Manager for DB2 184.108.40.206 through 4.1.1 on Linux, UNIX, and Windows and IBM InfoSphere Optim Performance Manager for DB2 5.1 through 5.3.1 on Linux, UNIX, and Windows allows remote attackers to access arbitrary files via a… (dot dot) in a URL.
The Search REST API in IBM Business Process Manager 220.127.116.11, 18.104.22.168, and 22.214.171.124 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter.
Cross-site scripting (XSS) vulnerability in the Relay Diagnostic page in IBM Tivoli Endpoint Manager 9.1 before 9.1.1229 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the Web Reports component in IBM Tivoli Endpoint Manager 9.1 before 9.1.1229 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
IBM Maximo Asset Management 7.1 through 126.96.36.199 and 7.5.0 before 188.8.131.52 IFIX008, Maximo Asset Management 7.5.0 through 184.108.40.206 and 7.5.1 through 220.127.116.11 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 18.104.22.168 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.
Race condition in the client in IBM Tivoli Storage Manager (TSM) 22.214.171.124 through 126.96.36.199, 188.8.131.52 through 184.108.40.206, 220.127.116.11 through 18.104.22.168, 6.2 before 22.214.171.124, 6.3 before 126.96.36.199, 6.4 before 188.8.131.52, and 7.1 before 7.1.1 on UNIX and Linux allows local users to obtain root privileges via unspecified vectors.
Curam Universal Access in IBM Curam Social Program Management 5.2 before SP6 EP6, 6.0 SP2 before EP26, 184.108.40.206 before iFix007, 220.127.116.11 before iFix005, and 18.104.22.168 before iFix003, when SPI inclusion is enabled, allows remote attackers to obtain sensitive user data by visiting an unspecified page.
CRLF injection vulnerability in the Universal Access implementation in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 22.214.171.124 iFix007, and 6.0.5 before 126.96.36.199 iFix003, when WebSphere Application Server is not used, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via an unspecified parameter.
The alert module in IBM InfoSphere BigInsights 2.1.2 and 3.x before 188.8.131.52 allows remote attackers to obtain sensitive Alert management-services API information via a network-tracing attack.