Search criteria
115 vulnerabilities found for Cognos Controller by IBM
CVE-2025-36326 (GCVE-0-2025-36326)
Vulnerability from cvelistv5 – Published: 2025-09-26 14:20 – Updated: 2025-09-26 14:54
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.
Severity ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T14:54:16.381196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T14:54:41.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.1.1",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T14:20:46.219Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7246015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Controller information disclosure",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eDownload the script from here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eIt is strongly recommended that you apply the most recent security updates:\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u0026nbsp; \u0026nbsp; \u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAffected Product(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInterim Fix\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Controller\u003c/td\u003e\u003ctd\u003e11.1.0 - 11.1.1\u003c/td\u003e\u003ctd\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/span\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Controller\u003c/td\u003e\u003ctd\u003e11.0.0 - 11.0.1 \u003c/td\u003e\u003ctd\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/span\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003ePrerequisites\u003c/p\u003e\u003col\u003e\u003cli\u003eEnsure you are logged in to the server with System Administrator privileges.\u003c/li\u003e\u003cli\u003eCreate a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eProcedure\u003c/p\u003e\u003col\u003e\u003cli\u003eNavigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\u003c/li\u003e\u003cli\u003eCopy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\u003c/li\u003e\u003cli\u003eRight-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\u003c/li\u003e\u003cli\u003eAfter execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\u003c/li\u003e\u003cli\u003eConfirm that all SSL configuration steps have already been completed if you have enabled SSL.\u003c/li\u003e\u003cli\u003eRestart the IBM Controller Web UI service.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eNotes\u003c/p\u003e\u003cul\u003e\u003cli\u003eThis script is intended for one-time use only. Do not re-run the script.\u003c/li\u003e\u003cli\u003eIf any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u0026nbsp; replace server.js with the backed-up file.\u003c/li\u003e\u003cli\u003eDo not delete the session_passphrase environment variable.\u003c/li\u003e\u003cli\u003eAfter each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Download the script from here: Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\n\u00a0\n\nIt is strongly recommended that you apply the most recent security updates:\n\n\n\n\n\n\u00a0 \u00a0 \n\nAffected Product(s)Version(s)Interim FixIBM Controller11.1.0 - 11.1.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Cognos Controller11.0.0 - 11.0.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\nPrerequisites\n\n * Ensure you are logged in to the server with System Administrator privileges.\n * Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\nProcedure\n\n * Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\n * Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\n * Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\n * After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\n * Confirm that all SSL configuration steps have already been completed if you have enabled SSL.\n * Restart the IBM Controller Web UI service.\nNotes\n\n * This script is intended for one-time use only. Do not re-run the script.\n * If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u00a0 replace server.js with the backed-up file.\n * Do not delete the session_passphrase environment variable.\n * After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36326",
"datePublished": "2025-09-26T14:20:46.219Z",
"dateReserved": "2025-04-15T21:16:51.462Z",
"dateUpdated": "2025-09-26T14:54:41.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-33079 (GCVE-0-2025-33079)
Vulnerability from cvelistv5 – Published: 2025-05-27 01:05 – Updated: 2025-08-26 15:03
VLAI?
Summary
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
Severity ?
6.5 (Medium)
CWE
- CWE-256 - Plaintext Storage of a Password
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T19:36:56.538109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T19:37:15.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.0.0, 11.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T15:03:51.764Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7234720"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is strongly recommended that you apply the most recent security updates:\u003cbr\u003e\u003cbr\u003eIBM Controller 11.1.0 FP4 from Fix Central\u003cbr\u003eIBM Cognos Controller 11.0.1 FP5 from Fix Central\u003cbr\u003e"
}
],
"value": "It is strongly recommended that you apply the most recent security updates:\n\nIBM Controller 11.1.0 FP4 from Fix Central\nIBM Cognos Controller 11.0.1 FP5 from Fix Central"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-33079",
"datePublished": "2025-05-27T01:05:12.455Z",
"dateReserved": "2025-04-15T17:50:20.368Z",
"dateUpdated": "2025-08-26T15:03:51.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39163 (GCVE-0-2022-39163)
Vulnerability from cvelistv5 – Published: 2025-03-26 13:51 – Updated: 2025-08-15 15:22
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.
Severity ?
4.7 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:57:09.709843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:57:15.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T15:22:17.140Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7192746"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller HTTP response smuggling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-39163",
"datePublished": "2025-03-26T13:51:51.469Z",
"dateReserved": "2022-09-01T20:20:58.938Z",
"dateUpdated": "2025-08-15T15:22:17.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47160 (GCVE-0-2023-47160)
Vulnerability from cvelistv5 – Published: 2025-02-19 16:20 – Updated: 2025-08-17 00:10
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity ?
8.2 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:44:36.868285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:44:46.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\n\n\nis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-17T00:10:00.333Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller XML external entity injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-47160",
"datePublished": "2025-02-19T16:20:09.058Z",
"dateReserved": "2023-10-31T00:13:45.654Z",
"dateUpdated": "2025-08-17T00:10:00.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28777 (GCVE-0-2024-28777)
Vulnerability from cvelistv5 – Published: 2025-02-19 16:04 – Updated: 2025-08-15 14:37
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:23:49.279960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:01.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\nis vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:37:44.315Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28777",
"datePublished": "2025-02-19T16:04:19.920Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-08-15T14:37:44.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28776 (GCVE-0-2024-28776)
Vulnerability from cvelistv5 – Published: 2025-02-19 16:02 – Updated: 2025-08-15 14:38
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:24:37.071556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:51.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\nis vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:38:38.702Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller cross-site scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28776",
"datePublished": "2025-02-19T16:02:08.425Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-08-15T14:38:38.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28780 (GCVE-0-2024-28780)
Vulnerability from cvelistv5 – Published: 2025-02-19 15:39 – Updated: 2025-07-25 15:51
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client
uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:50:23.816647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:50:37.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client\u00a0\n\n\n\n\n\nuses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T15:51:09.515Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28780",
"datePublished": "2025-02-19T15:39:38.371Z",
"dateReserved": "2024-03-10T12:23:24.001Z",
"dateUpdated": "2025-07-25T15:51:09.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45081 (GCVE-0-2024-45081)
Vulnerability from cvelistv5 – Published: 2025-02-19 15:37 – Updated: 2025-08-15 14:29
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated user to modify restricted content due to incorrect authorization checks.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:52:11.914980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:52:23.655Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated user to modify restricted content due to incorrect authorization checks.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\ncould allow an authenticated user to modify restricted content due to incorrect authorization checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:29:59.475Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller incorrect authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45081",
"datePublished": "2025-02-19T15:37:09.745Z",
"dateReserved": "2024-08-21T19:11:05.062Z",
"dateUpdated": "2025-08-15T14:29:59.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45084 (GCVE-0-2024-45084)
Vulnerability from cvelistv5 – Published: 2025-02-19 15:24 – Updated: 2025-09-29 17:55
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
Severity ?
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:24:29.148111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:33.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\ncould allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:55:20.228Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller CSV injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45084",
"datePublished": "2025-02-19T15:24:03.216Z",
"dateReserved": "2024-08-21T19:11:05.063Z",
"dateUpdated": "2025-09-29T17:55:20.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52902 (GCVE-0-2024-52902)
Vulnerability from cvelistv5 – Published: 2025-02-19 14:50 – Updated: 2025-08-15 14:42
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
Severity ?
8.8 (High)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:25:58.534638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:26:06.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "unaffected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:42:21.022Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-52902",
"datePublished": "2025-02-19T14:50:24.376Z",
"dateReserved": "2024-11-17T14:25:57.179Z",
"dateUpdated": "2025-08-15T14:42:21.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22363 (GCVE-0-2022-22363)
Vulnerability from cvelistv5 – Published: 2025-01-07 16:07 – Updated: 2025-01-07 16:58
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-22363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:58:05.297251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:58:21.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:07:00.578Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-22363",
"datePublished": "2025-01-07T16:07:00.578Z",
"dateReserved": "2022-01-03T22:29:20.933Z",
"dateUpdated": "2025-01-07T16:58:21.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20455 (GCVE-0-2021-20455)
Vulnerability from cvelistv5 – Published: 2025-01-07 16:04 – Updated: 2025-01-07 16:58
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Severity ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-20455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:58:35.972262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:58:53.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:04:37.010Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-20455",
"datePublished": "2025-01-07T16:04:37.010Z",
"dateReserved": "2020-12-17T19:17:34.738Z",
"dateUpdated": "2025-01-07T16:58:53.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40702 (GCVE-0-2024-40702)
Vulnerability from cvelistv5 – Published: 2025-01-07 16:02 – Updated: 2025-01-07 16:59
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.
Severity ?
8.2 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:59:15.610169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:59:26.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:02:36.236Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller improper certificate validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-40702",
"datePublished": "2025-01-07T16:02:36.236Z",
"dateReserved": "2024-07-08T19:31:12.238Z",
"dateUpdated": "2025-01-07T16:59:26.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28778 (GCVE-0-2024-28778)
Vulnerability from cvelistv5 – Published: 2025-01-07 15:57 – Updated: 2025-01-07 16:47
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.
Severity ?
6.5 (Medium)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:47:08.512733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:47:18.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:57:13.969Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28778",
"datePublished": "2025-01-07T15:57:13.969Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-01-07T16:47:18.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36326 (GCVE-0-2025-36326)
Vulnerability from nvd – Published: 2025-09-26 14:20 – Updated: 2025-09-26 14:54
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.
Severity ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T14:54:16.381196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T14:54:41.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.1.1",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T14:20:46.219Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7246015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Controller information disclosure",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eDownload the script from here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eIt is strongly recommended that you apply the most recent security updates:\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u0026nbsp; \u0026nbsp; \u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAffected Product(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInterim Fix\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Controller\u003c/td\u003e\u003ctd\u003e11.1.0 - 11.1.1\u003c/td\u003e\u003ctd\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/span\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Controller\u003c/td\u003e\u003ctd\u003e11.0.0 - 11.0.1 \u003c/td\u003e\u003ctd\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller\u0026amp;fixids=CNTRL-WS-11.X-PATCH\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=Cognos\"\u003eFix Central\u003c/a\u003e\u003c/span\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003ePrerequisites\u003c/p\u003e\u003col\u003e\u003cli\u003eEnsure you are logged in to the server with System Administrator privileges.\u003c/li\u003e\u003cli\u003eCreate a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eProcedure\u003c/p\u003e\u003col\u003e\u003cli\u003eNavigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\u003c/li\u003e\u003cli\u003eCopy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\u003c/li\u003e\u003cli\u003eRight-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\u003c/li\u003e\u003cli\u003eAfter execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\u003c/li\u003e\u003cli\u003eConfirm that all SSL configuration steps have already been completed if you have enabled SSL.\u003c/li\u003e\u003cli\u003eRestart the IBM Controller Web UI service.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eNotes\u003c/p\u003e\u003cul\u003e\u003cli\u003eThis script is intended for one-time use only. Do not re-run the script.\u003c/li\u003e\u003cli\u003eIf any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u0026nbsp; replace server.js with the backed-up file.\u003c/li\u003e\u003cli\u003eDo not delete the session_passphrase environment variable.\u003c/li\u003e\u003cli\u003eAfter each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Download the script from here: Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\n\u00a0\n\nIt is strongly recommended that you apply the most recent security updates:\n\n\n\n\n\n\u00a0 \u00a0 \n\nAffected Product(s)Version(s)Interim FixIBM Controller11.1.0 - 11.1.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Cognos Controller11.0.0 - 11.0.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\nPrerequisites\n\n * Ensure you are logged in to the server with System Administrator privileges.\n * Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\nProcedure\n\n * Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\n * Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\n * Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\n * After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\n * Confirm that all SSL configuration steps have already been completed if you have enabled SSL.\n * Restart the IBM Controller Web UI service.\nNotes\n\n * This script is intended for one-time use only. Do not re-run the script.\n * If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u00a0 replace server.js with the backed-up file.\n * Do not delete the session_passphrase environment variable.\n * After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36326",
"datePublished": "2025-09-26T14:20:46.219Z",
"dateReserved": "2025-04-15T21:16:51.462Z",
"dateUpdated": "2025-09-26T14:54:41.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-33079 (GCVE-0-2025-33079)
Vulnerability from nvd – Published: 2025-05-27 01:05 – Updated: 2025-08-26 15:03
VLAI?
Summary
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
Severity ?
6.5 (Medium)
CWE
- CWE-256 - Plaintext Storage of a Password
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T19:36:56.538109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T19:37:15.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.0.0, 11.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T15:03:51.764Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7234720"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is strongly recommended that you apply the most recent security updates:\u003cbr\u003e\u003cbr\u003eIBM Controller 11.1.0 FP4 from Fix Central\u003cbr\u003eIBM Cognos Controller 11.0.1 FP5 from Fix Central\u003cbr\u003e"
}
],
"value": "It is strongly recommended that you apply the most recent security updates:\n\nIBM Controller 11.1.0 FP4 from Fix Central\nIBM Cognos Controller 11.0.1 FP5 from Fix Central"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-33079",
"datePublished": "2025-05-27T01:05:12.455Z",
"dateReserved": "2025-04-15T17:50:20.368Z",
"dateUpdated": "2025-08-26T15:03:51.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39163 (GCVE-0-2022-39163)
Vulnerability from nvd – Published: 2025-03-26 13:51 – Updated: 2025-08-15 15:22
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.
Severity ?
4.7 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:57:09.709843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:57:15.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T15:22:17.140Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7192746"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller HTTP response smuggling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-39163",
"datePublished": "2025-03-26T13:51:51.469Z",
"dateReserved": "2022-09-01T20:20:58.938Z",
"dateUpdated": "2025-08-15T15:22:17.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47160 (GCVE-0-2023-47160)
Vulnerability from nvd – Published: 2025-02-19 16:20 – Updated: 2025-08-17 00:10
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity ?
8.2 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:44:36.868285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:44:46.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\n\n\nis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-17T00:10:00.333Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller XML external entity injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-47160",
"datePublished": "2025-02-19T16:20:09.058Z",
"dateReserved": "2023-10-31T00:13:45.654Z",
"dateUpdated": "2025-08-17T00:10:00.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28777 (GCVE-0-2024-28777)
Vulnerability from nvd – Published: 2025-02-19 16:04 – Updated: 2025-08-15 14:37
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:23:49.279960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:01.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\nis vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:37:44.315Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28777",
"datePublished": "2025-02-19T16:04:19.920Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-08-15T14:37:44.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28776 (GCVE-0-2024-28776)
Vulnerability from nvd – Published: 2025-02-19 16:02 – Updated: 2025-08-15 14:38
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:24:37.071556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:51.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/span\u003e\n\n\n\n\n\n\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\nis vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:38:38.702Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller cross-site scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28776",
"datePublished": "2025-02-19T16:02:08.425Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-08-15T14:38:38.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28780 (GCVE-0-2024-28780)
Vulnerability from nvd – Published: 2025-02-19 15:39 – Updated: 2025-07-25 15:51
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client
uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:50:23.816647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:50:37.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client\u00a0\n\n\n\n\n\nuses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T15:51:09.515Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28780",
"datePublished": "2025-02-19T15:39:38.371Z",
"dateReserved": "2024-03-10T12:23:24.001Z",
"dateUpdated": "2025-07-25T15:51:09.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45081 (GCVE-0-2024-45081)
Vulnerability from nvd – Published: 2025-02-19 15:37 – Updated: 2025-08-15 14:29
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated user to modify restricted content due to incorrect authorization checks.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:52:11.914980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:52:23.655Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated user to modify restricted content due to incorrect authorization checks.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\ncould allow an authenticated user to modify restricted content due to incorrect authorization checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:29:59.475Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller incorrect authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45081",
"datePublished": "2025-02-19T15:37:09.745Z",
"dateReserved": "2024-08-21T19:11:05.062Z",
"dateUpdated": "2025-08-15T14:29:59.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45084 (GCVE-0-2024-45084)
Vulnerability from nvd – Published: 2025-02-19 15:24 – Updated: 2025-09-29 17:55
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
Severity ?
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:24:29.148111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:24:33.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "affected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\ncould allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:55:20.228Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller CSV injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45084",
"datePublished": "2025-02-19T15:24:03.216Z",
"dateReserved": "2024-08-21T19:11:05.063Z",
"dateUpdated": "2025-09-29T17:55:20.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52902 (GCVE-0-2024-52902)
Vulnerability from nvd – Published: 2025-02-19 14:50 – Updated: 2025-08-15 14:42
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
Severity ?
8.8 (High)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cognos Controller |
Affected:
11.0.0 , ≤ 11.0.1
(semver)
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:25:58.534638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:26:06.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:fix_pack_3:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"changes": [
{
"at": "FP3",
"status": "unaffected"
}
],
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.\u003c/span\u003e"
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:42:21.022Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-52902",
"datePublished": "2025-02-19T14:50:24.376Z",
"dateReserved": "2024-11-17T14:25:57.179Z",
"dateUpdated": "2025-08-15T14:42:21.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22363 (GCVE-0-2022-22363)
Vulnerability from nvd – Published: 2025-01-07 16:07 – Updated: 2025-01-07 16:58
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-22363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:58:05.297251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:58:21.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:07:00.578Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-22363",
"datePublished": "2025-01-07T16:07:00.578Z",
"dateReserved": "2022-01-03T22:29:20.933Z",
"dateUpdated": "2025-01-07T16:58:21.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20455 (GCVE-0-2021-20455)
Vulnerability from nvd – Published: 2025-01-07 16:04 – Updated: 2025-01-07 16:58
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Severity ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-20455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:58:35.972262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:58:53.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:04:37.010Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-20455",
"datePublished": "2025-01-07T16:04:37.010Z",
"dateReserved": "2020-12-17T19:17:34.738Z",
"dateUpdated": "2025-01-07T16:58:53.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40702 (GCVE-0-2024-40702)
Vulnerability from nvd – Published: 2025-01-07 16:02 – Updated: 2025-01-07 16:59
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.
Severity ?
8.2 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:59:15.610169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:59:26.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:02:36.236Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller improper certificate validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-40702",
"datePublished": "2025-01-07T16:02:36.236Z",
"dateReserved": "2024-07-08T19:31:12.238Z",
"dateUpdated": "2025-01-07T16:59:26.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28778 (GCVE-0-2024-28778)
Vulnerability from nvd – Published: 2025-01-07 15:57 – Updated: 2025-01-07 16:47
VLAI?
Summary
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.
Severity ?
6.5 (Medium)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Controller |
Affected:
11.1.0
cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:47:08.512733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:47:18.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization."
}
],
"value": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:57:13.969Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28778",
"datePublished": "2025-01-07T15:57:13.969Z",
"dateReserved": "2024-03-10T12:23:11.490Z",
"dateUpdated": "2025-01-07T16:47:18.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2025-AVI-0154
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP11 IF01 | ||
| IBM | Controller | Controller versions 11.1.0.x antérieures à 11.1.0.1 | ||
| IBM | MaaS360 | MaaS360 Base, Configuration Utility versions antérieures à 3.001.100 | ||
| IBM | MaaS360 | MaaS360 Mobile Enterprise Gateway versions antérieures à 3.001.100 | ||
| IBM | Cognos Controller | Cognos Controller versions 11.x antérieures à 11.0.1 FP4 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP11 IF01",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Controller versions 11.1.0.x ant\u00e9rieures \u00e0 11.1.0.1",
"product": {
"name": "Controller",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "MaaS360 Base, Configuration Utility versions ant\u00e9rieures \u00e0 3.001.100",
"product": {
"name": "MaaS360",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "MaaS360 Mobile Enterprise Gateway versions ant\u00e9rieures \u00e0 3.001.100",
"product": {
"name": "MaaS360",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Controller versions 11.x ant\u00e9rieures \u00e0 11.0.1 FP4",
"product": {
"name": "Cognos Controller",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-21235",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21235"
},
{
"name": "CVE-2024-21144",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21144"
},
{
"name": "CVE-2023-39017",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39017"
},
{
"name": "CVE-2024-45084",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45084"
},
{
"name": "CVE-2024-45081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45081"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2021-36373",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36373"
},
{
"name": "CVE-2015-2325",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2325"
},
{
"name": "CVE-2024-28780",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28780"
},
{
"name": "CVE-2024-56326",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56326"
},
{
"name": "CVE-2024-8508",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8508"
},
{
"name": "CVE-2024-10917",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10917"
},
{
"name": "CVE-2021-36374",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36374"
},
{
"name": "CVE-2024-12085",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12085"
},
{
"name": "CVE-2024-52902",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52902"
},
{
"name": "CVE-2024-1488",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1488"
},
{
"name": "CVE-2024-56337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
},
{
"name": "CVE-2023-47160",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47160"
},
{
"name": "CVE-2024-28776",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28776"
},
{
"name": "CVE-2024-21907",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21907"
},
{
"name": "CVE-2024-35195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
},
{
"name": "CVE-2024-38999",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38999"
},
{
"name": "CVE-2024-9823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
},
{
"name": "CVE-2024-40642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40642"
},
{
"name": "CVE-2024-21145",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21145"
},
{
"name": "CVE-2022-4245",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4245"
},
{
"name": "CVE-2022-4244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4244"
},
{
"name": "CVE-2023-50314",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50314"
},
{
"name": "CVE-2024-52337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52337"
},
{
"name": "CVE-2024-50379",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
},
{
"name": "CVE-2024-21131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21131"
},
{
"name": "CVE-2024-21210",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21210"
},
{
"name": "CVE-2020-11979",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11979"
},
{
"name": "CVE-2024-21217",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21217"
},
{
"name": "CVE-2024-27267",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27267"
},
{
"name": "CVE-2018-12699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12699"
},
{
"name": "CVE-2024-28777",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28777"
},
{
"name": "CVE-2024-21208",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21208"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0154",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7183597",
"url": "https://www.ibm.com/support/pages/node/7183597"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7183584",
"url": "https://www.ibm.com/support/pages/node/7183584"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7183612",
"url": "https://www.ibm.com/support/pages/node/7183612"
}
]
}