Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD63678498B94CE4636F5CEB8FAB7C8F6F571F578E6D0EF1B23F011C3A5778E9E
HistorySep 23, 2020 - 5:03 a.m.

Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault previously known as IBM Security Secret Server

2020-09-2305:03:22
www.ibm.com
25

0.495 Medium

EPSS

Percentile

97.5%

JSON

Summary

Multiple vulnerabilities identified in IBM Security Verify Privilege Vault previously known as IBM Security Secret Server have been addressed in the release 10.9.

Vulnerability Details

CVEID:CVE-2020-4324
**DESCRIPTION:**IBM Security Secret Server could allow a remote attacker to bypass security restrictions, caused by improper input validation.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177515 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-11358
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-14862
**DESCRIPTION:**Knockout is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173894 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2009-0385
**DESCRIPTION:**FFmpeg could allow a remote attacker to execute arbitrary code on the system, caused by an integer signedness error in the fourxm_read_header() function in libavformat/4xm.c. By persuading a victim to open a specially-crafted 4X movie file with a large current_track value, a remote attacker could exploit this vulnerability to corrupt memory, trigger a NULL pointer dereference and execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/48330 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2015-9251
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-14040
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/146468 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-14041
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/146467 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-14042
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/146466 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-8331
**DESCRIPTION:**Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-4340
**DESCRIPTION:**IBM Security Secret Server could allow an attacker to bypass SSL security due to improper certificate validation.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178180 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

All versions of IBM Security Secret Server prior to 10.9

Remediation/Fixes

Upgrade to the latest release available here.

Workarounds and Mitigations

None

Related

hackerone 2
laminas 1
ibm 25
rubygems 1
nessus 35
jvn 1
osv 15
amazon 1
github 8
oraclelinux 3
redhat 12
atlassian 1
rocky 2
centos 1
almalinux 2
nvd 8
prion 8
debiancve 7
veracode 5
ubuntucve 7
cve 8
cvelist 8
freebsd 2
openvas 7
checkpoint_advisories 1
githubexploit 2
seebug 1
redhatcve 4
slackware 1
ics 2
f5 5
gitlab 4
cloudfoundry 1
alpinelinux 1
attackerkb 1
friendsofphp 2
typo3 2
nodejs 1
cbl_mariner 1
hackerone
hackerone
Sifchain: Vulnerable javascript dependency at Main domain
2021-05-07 20:48:11
Sifchain: Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation
2021-06-05 15:52:39
laminas
laminas
XSS vectors in laminas-api-tools/api-tools
2020-04-01 21:30:00
ibm
ibm
Security Bulletin: API Connect V5 is impacted by vulnerabilities in Bootstrap (CVE-2018-14040 CVE-2018-14041 CVE-2018-14042)
2019-04-23 18:00:01
Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358)
2020-04-07 16:23:23
Security Bulletin: Multiple security vulnerabilities in bootstrap.js may affect IBM Business Automation Workflow
2023-06-05 20:05:15
rubygems
rubygems
XSS vulnerabilities via data-parent, data-target, data-container in bootstrap
2018-07-02 21:00:00
nessus
nessus
Rocky Linux 8 : idm:DL1 and idm:client (RLSA-2020:4670)
2023-11-06 00:00:00
Oracle Linux 8 : idm:DL1 / and / idm:client (ELSA-2020-4670)
2023-09-07 00:00:00
NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045)
2021-03-10 00:00:00
jvn
jvn
JVN#06527859: KinagaCMS vulnerable to cross-site scripting
2019-03-15 00:00:00
osv
osv
Bootstrap Cross-site Scripting vulnerability
2018-09-13 15:49:56
Bootstrap Cross-site Scripting vulnerability
2018-09-13 15:50:32
Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
amazon
amazon
Medium: ipa
2020-10-22 17:40:00
github
github
Bootstrap Cross-site Scripting vulnerability
2018-09-13 15:50:32
Bootstrap Cross-site Scripting vulnerability
2018-09-13 15:49:56
XSS in knockout
2020-04-01 15:47:45
oraclelinux
oraclelinux
idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-10 00:00:00
ipa security, bug fix, and enhancement update
2020-10-06 00:00:00
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-11-10 00:00:00
redhat
redhat
(RHSA-2020:4670) Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
(RHSA-2020:3936) Moderate: ipa security, bug fix, and enhancement update
2020-09-29 07:44:46
(RHSA-2019:3024) Moderate: ovirt-web-ui security and bug fix update
2019-10-10 14:49:46
atlassian
atlassian
Jira uses vulnerable jQuery version CVE-2015-9251
2020-04-20 13:29:57
rocky
rocky
idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-11-03 12:29:58
centos
centos
ipa, python2 security update
2020-10-20 18:15:27
almalinux
almalinux
Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
2020-11-03 12:25:36
Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-11-03 12:29:58
nvd
nvd
CVE-2019-14862
2020-01-02 15:15:12
CVE-2009-0385
2009-02-02 19:30:00
CVE-2018-14042
2018-07-13 14:29:00
prion
prion
Integer overflow
2009-02-02 19:30:00
Design/Logic Flaw
2020-01-02 15:15:00
Design/Logic Flaw
2018-07-13 14:29:00
debiancve
debiancve
CVE-2009-0385
2009-02-02 19:30:00
CVE-2019-14862
2020-01-02 15:15:12
CVE-2018-14042
2018-07-13 14:29:00
veracode
veracode
Cross-site Scripting (XSS)
2018-02-20 10:31:38
Cross-Site Scripting (XSS)
2018-06-04 09:28:27
Cross-site Scripting (XSS)
2018-05-31 04:13:41
ubuntucve
ubuntucve
CVE-2019-14862
2020-01-02 00:00:00
CVE-2009-0385
2009-02-02 00:00:00
CVE-2015-9251
2018-01-18 00:00:00
cve
cve
CVE-2019-14862
2020-01-02 15:15:12
CVE-2009-0385
2009-02-02 19:30:00
CVE-2018-14041
2018-07-13 14:29:00
cvelist
cvelist
CVE-2019-14862
2020-01-02 14:18:58
CVE-2009-0385
2009-02-02 19:00:00
CVE-2015-9251
2018-01-18 23:00:00
freebsd
freebsd
ffmpeg -- 4xm processing memory corruption vulnerability
2009-01-28 00:00:00
rt -- XSS via jQuery
2019-03-05 00:00:00
openvas
openvas
FreeBSD Ports: ffmpeg
2009-03-20 00:00:00
FreeBSD Ports: ffmpeg
2009-03-20 00:00:00
Slackware: Security Advisory (SSA:2009-098-03)
2012-09-10 00:00:00
checkpoint_advisories
checkpoint_advisories
FFmpeg 4xm Processing Memory Corruption (CVE-2009-0385)
2009-11-03 00:00:00
githubexploit
githubexploit
Exploit for Cross-site Scripting in Knockoutjs Knockout
2020-12-01 09:18:57
Exploit for Cross-site Scripting in Getbootstrap Bootstrap
2020-12-01 09:18:58
seebug
seebug
FFmpeg 4xm文件解析内存破坏漏洞
2009-02-19 00:00:00
redhatcve
redhatcve
CVE-2019-14862
2019-10-21 13:21:25
CVE-2018-14041
2019-10-09 06:49:06
CVE-2018-14042
2018-07-16 23:20:34
slackware
slackware
xine-lib
2009-04-07 23:31:21
ics
ics
Mitsubishi Electric EcoWebServerIII
2022-02-24 12:00:00
AVEVA InTouch Access Anywhere
2018-07-31 12:00:00
f5
f5
K19785240 : Bootstrap vulnerability CVE-2018-14042
2021-11-19 00:00:00
K29562170 : jQuery vulnerability CVE-2015-9251
2020-02-19 00:00:00
K05380109 : Bootstrap vulnerability CVE-2018-14041
2021-11-19 00:00:00
gitlab
gitlab
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2018-07-13 00:00:00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2018-07-13 00:00:00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2019-02-20 00:00:00
cloudfoundry
cloudfoundry
CVE-2015-9251: UAA contains vulnerable jQuery version | Cloud Foundry
2019-07-08 00:00:00
alpinelinux
alpinelinux
CVE-2015-9251
2018-01-18 23:29:00
attackerkb
attackerkb
CVE-2015-9251
2018-01-18 00:00:00
friendsofphp
friendsofphp
Cross-Site Scripting in Bootstrap CSS toolkit
2019-01-22 08:41:33
Cross-Site Scripting in Bootstrap CSS toolkit
2019-01-22 08:41:33
typo3
typo3
Cross-Site Scripting in Bootstrap CSS toolkit before 3.4.1 and 4.3.0
2019-05-07 00:00:00
Cross-Site Scripting in Bootstrap CSS toolkit
2019-01-22 00:00:00
nodejs
nodejs
Cross-Site Scripting
2019-05-22 18:03:13
cbl_mariner
cbl_mariner
CVE-2018-14040 affecting package boost 1.66.0-4
2024-07-05 21:08:35

0.495 Medium

EPSS

Percentile

97.5%

JSON
Related for D63678498B94CE4636F5CEB8FAB7C8F6F571F578E6D0EF1B23F011C3A5778E9E
hackerone2laminas1ibm25rubygems1nessus35jvn1osv15amazon1github8oraclelinux3redhat12atlassian1rocky2centos1almalinux2nvd8prion8debiancve7veracode5ubuntucve7cve8cvelist8freebsd2openvas7checkpoint_advisories1githubexploit2seebug1redhatcve4slackware1ics2f55gitlab4cloudfoundry1alpinelinux1attackerkb1friendsofphp2typo32nodejs1cbl_mariner1