Tomasz Wiśniewski

Name of the Vulnerable Software and Affected Versions: IBM Security Identity Manager Adapters versions 6.0 through 7.0 Description: The issue is caused by improper bounds, leading to a heap-based buffer overflow. An authenticated user could overflow the buffer, causing the service to crash. Recommendations: For versions 6.0 and 7.0, update to a version that fixes the heap-based buffer overflow issue to prevent the service from crashing due to buffer overflow by an authenticated user. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Identity Manager version 6.0.2 **Description** The issue is related to insufficient validation of incoming requests, which could allow a remote authenticated attacker to obtain sensitive data by sending specially crafted requests. This can lead to unauthorized access to protected information. **Recommendations** For IBM Security Identity Manager version 6.0.2, consider restricting access to sensitive data and validating all incoming requests to minimize the risk of exploitation. As a temporary workaround, restrict the use of the affected functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Identity Manager version 6.0.2 **Description** The issue is related to insufficient access controls in the Password Synchronization Plug-in of IBM Security Identity Manager, which could allow a remote attacker to gain unauthorized access to protected information. Specifically, an authenticated malicious user could change the passwords of other users in the Windows AD environment when the IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. **Recommendations** For IBM Security Identity Manager version 6.0.2, consider restricting access to the Windows Password Synch Plug-in to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of authenticated users to prevent them from changing passwords of other users in the Windows AD environment.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise PeopleTools versions 8.56 through 8.58 **Description** The issue is related to insufficient input validation in the SQR component of PeopleSoft Enterprise PeopleTools. This allows a low-privileged attacker with network access via HTTP to compromise the application. Successful attacks can result in unauthorized access to data, including update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. Additionally, it can cause a partial denial of service (DOS) of PeopleSoft Enterprise PeopleTools. **Recommendations** For versions 8.56, 8.57, and 8.58, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Netcool/Impact version 7.1.0 **Description** The issue allows for remote execution of commands by a low-privileged user, enabling remote code execution. This can lead to the execution of arbitrary code on the system, resulting in potential control over the system. **Recommendations** For IBM Tivoli Netcool/Impact version 7.1.0, at the moment, there is no information about a newer version that contains a fix for this issue.