Vulnerabilites related to ibm - webmethods_integration
Vulnerability from fkie_nvd
Published
2025-06-18 16:15
Modified
2025-08-13 14:08
Severity ?
Summary
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15
is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7237146 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | webmethods_integration | 10.5 | |
| ibm | webmethods_integration | 10.7 | |
| ibm | webmethods_integration | 10.11 | |
| ibm | webmethods_integration | 10.15 | |
| apple | macos | - | |
| linux | linux_kernel | - | |
| microsoft | windows | - | |
| novell | suse_linux | - | |
| redhat | linux | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF7F23BC-1BBD-440F-A122-59CDE90A30A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E52CFF5B-D741-422C-ABF8-EC71E69F3A0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2008B366-18FC-4991-976F-4CE78FE52B55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A74F598F-90A3-4F57-99B8-5BA7AD731699",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B627E2A9-DE93-43FB-BFB7-5B6F421554D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C4EBE07A-6FEF-4343-BA5D-58FD175F5CD1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 \n\nis vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands."
},
{
"lang": "es",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11 y 10.15 es vulnerable a un ataque de inyecci\u00f3n de entidad externa (XXE) XML al procesar datos XML. Un atacante remoto autenticado podr\u00eda aprovechar esta vulnerabilidad para ejecutar comandos arbitrarios."
}
],
"id": "CVE-2025-36049",
"lastModified": "2025-08-13T14:08:53.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2025-06-18T16:15:27.233",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7237146"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-18 16:15
Modified
2025-08-13 14:12
Severity ?
Summary
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7237144 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | webmethods_integration | 10.5 | |
| ibm | webmethods_integration | 10.7 | |
| ibm | webmethods_integration | 10.11 | |
| ibm | webmethods_integration | 10.15 | |
| apple | macos | - | |
| linux | linux_kernel | - | |
| microsoft | windows | - | |
| novell | suse_linux | - | |
| redhat | linux | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF7F23BC-1BBD-440F-A122-59CDE90A30A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E52CFF5B-D741-422C-ABF8-EC71E69F3A0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2008B366-18FC-4991-976F-4CE78FE52B55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A74F598F-90A3-4F57-99B8-5BA7AD731699",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B627E2A9-DE93-43FB-BFB7-5B6F421554D5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C4EBE07A-6FEF-4343-BA5D-58FD175F5CD1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges."
},
{
"lang": "es",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11 y 10.15 podr\u00edan permitir que un usuario privilegiado aumente sus privilegios al manejar entidades externas debido a la ejecuci\u00f3n con privilegios innecesarios."
}
],
"id": "CVE-2025-36048",
"lastModified": "2025-08-13T14:12:38.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2025-06-18T16:15:27.080",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7237144"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-250"
}
],
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-04 16:15
Modified
2024-09-06 16:45
Severity ?
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7167245 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | webmethods_integration | 10.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A74F598F-90A3-4F57-99B8-5BA7AD731699",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system."
},
{
"lang": "es",
"value": "IBM webMethods Integration 10.15 podr\u00eda permitir que un usuario autenticado recorra directorios en el sistema. Un atacante podr\u00eda enviar una solicitud de URL especialmente manipulada que contenga secuencias de \"punto punto\" (/../) para ver archivos arbitrarios en el sistema."
}
],
"id": "CVE-2024-45074",
"lastModified": "2024-09-06T16:45:32.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:08.110",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-04 16:15
Modified
2024-09-06 16:45
Severity ?
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7167245 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | webmethods_integration | 10.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A74F598F-90A3-4F57-99B8-5BA7AD731699",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication."
},
{
"lang": "es",
"value": "IBM webMethods Integration 10.15 podr\u00eda permitir que un usuario autenticado cree tareas de planificador que le permitan escalar sus privilegios a administrador debido a la falta de autenticaci\u00f3n."
}
],
"id": "CVE-2024-45075",
"lastModified": "2024-09-06T16:45:12.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:08.357",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-308"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-04 16:15
Modified
2024-09-06 16:44
Severity ?
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7167245 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | webmethods_integration | 10.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A74F598F-90A3-4F57-99B8-5BA7AD731699",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system."
},
{
"lang": "es",
"value": "IBM webMethods Integration 10.15 podr\u00eda permitir que un usuario autenticado cargue y ejecute archivos arbitrarios que podr\u00edan ejecutarse en el sistema operativo subyacente."
}
],
"id": "CVE-2024-45076",
"lastModified": "2024-09-06T16:44:52.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:08.600",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
}
CVE-2025-36048 (GCVE-0-2025-36048)
Vulnerability from cvelistv5
Published
2025-06-18 16:04
Modified
2025-06-18 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-250 - Execution with Unnecessary Privileges
Summary
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration Server |
Version: 10.5, 10.7, 10.11, 10.15 cpe:2.3:a:softwareag:webmethods:10.5:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.7:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T17:49:44.656092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T17:53:01.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.7:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration Server",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.5, 10.7, 10.11, 10.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rob Maslen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges."
}
],
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T16:04:28.802Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7237144"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document.\u003cbr\u003e\u003cbr\u003eIS_10.5_Core_Fix29 or later\u003cbr\u003eIS_10.7_Core_Fix23 or later\u003cbr\u003eIS_10.11_Core_Fix11 or later\u003cbr\u003eIS_10.15_Core_Fix14 or later\u003cbr\u003e\u003cbr\u003eFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document.\n\nIS_10.5_Core_Fix29 or later\nIS_10.7_Core_Fix23 or later\nIS_10.11_Core_Fix11 or later\nIS_10.15_Core_Fix14 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration Sever code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36048",
"datePublished": "2025-06-18T16:04:28.802Z",
"dateReserved": "2025-04-15T21:16:10.569Z",
"dateUpdated": "2025-06-18T17:53:01.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45075 (GCVE-0-2024-45075)
Vulnerability from cvelistv5
Published
2024-09-04 16:01
Modified
2024-09-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-308 - Use of Single-factor Authentication
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:18:31.427546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:18:41.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-308",
"description": "CWE-308: Use of Single-factor Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:01:17.026Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45075",
"datePublished": "2024-09-04T16:01:17.026Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T16:18:41.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45076 (GCVE-0-2024-45076)
Vulnerability from cvelistv5
Published
2024-09-04 15:59
Modified
2024-09-04 18:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:29:29.552776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:29:57.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:59:07.939Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45076",
"datePublished": "2024-09-04T15:59:07.939Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T18:29:57.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45074 (GCVE-0-2024-45074)
Vulnerability from cvelistv5
Published
2024-09-04 16:02
Modified
2024-09-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:18:05.075398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:18:12.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:02:16.587Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration directory traversal",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45074",
"datePublished": "2024-09-04T16:02:16.587Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T16:18:12.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36049 (GCVE-0-2025-36049)
Vulnerability from cvelistv5
Published
2025-06-18 16:06
Modified
2025-06-18 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15
is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration Server |
Version: 10.5, 10.7, 10.11, 10.15 cpe:2.3:a:softwareag:webmethods:10.5:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.7:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:* cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T17:47:53.956675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T17:48:11.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.5:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.7:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*",
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration Server",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.5, 10.7, 10.11, 10.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Filip Dragovic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.\u003c/span\u003e"
}
],
"value": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 \n\nis vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T16:06:18.983Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7237146"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document.\u003cbr\u003e\u003cbr\u003eIS_10.5_Core_Fix29 or later\u003cbr\u003eIS_10.7_Core_Fix23 or later\u003cbr\u003eIS_10.11_Core_Fix11 or later\u003cbr\u003eIS_10.15_Core_Fix14 or later\u003cbr\u003e\u003cbr\u003eFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document.\n\nIS_10.5_Core_Fix29 or later\nIS_10.7_Core_Fix23 or later\nIS_10.11_Core_Fix11 or later\nIS_10.15_Core_Fix14 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration Sever XML external entity injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36049",
"datePublished": "2025-06-18T16:06:18.983Z",
"dateReserved": "2025-04-15T21:16:10.569Z",
"dateUpdated": "2025-06-18T17:48:11.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}