Severity
Medium
Analysis Summary
CVE-2024-35146 CVSS:5.4
IBM Maximo Application Suite - Monitor Component 8.10.11, 8.11.8, and 9.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2024-45086 CVSS:5.5
IBM WebSphere Application Server is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
CVE-2024-41745 CVSS:6.1
IBM CICS TX Standard is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2024-41741 CVSS:5.3
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system.
Impact
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-35146
- CVE-2024-45086
- CVE-2024-41745
- CVE-2024-41741
Affected Vendors
Affected Products
- IBM WebSphere Application Server 8.5
- IBM WebSphere Application Server 9.0
- IBM CICS TX Standard 11.1
- IBM Maximo Application Suite 8.10.11
- IBM Maximo Application Suite 8.11.8
- IBM Maximo Application Suite 9.0.0
- IBM CICS TX Standard - 11.1
- IBM TXSeries for Multiplatforms 10.1
Remediation
Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.