Warren Moynihan

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue is related to the software not setting the secure attribute for cookies in HTTPS sessions. This could cause the user agent to send those cookies in plaintext over an HTTP session. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, consider configuring the software to set the secure attribute for cookies in HTTPS sessions to prevent them from being sent in plaintext over HTTP. As a temporary workaround, restrict access to sensitive data that may be transmitted via cookies until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue concerns the storage of user credentials in plain text, which can be accessed by a local user. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue discloses sensitive information to unauthorized users, which can be used to mount further attacks on the system. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue concerns the use of hard-coded credentials in the software, which could allow a local user to obtain highly sensitive information. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue specifies permissions for a security-critical resource, which could lead to the exposure of sensitive information or the modification of that resource by unintended parties. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 **Description** The issue is related to incomplete blacklisting for input validation, which allows attackers to bypass application controls. This results in a direct impact to the system and data integrity. **Recommendations** For IBM Security Guardium Big Data Intelligence (SonarG) version 4.0, consider implementing additional input validation mechanisms to prevent attackers from bypassing application controls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence version 4.0 **Description** The issue is related to the lack of protection for service data in the Security Guardium Big Data Intelligence software. This could allow a remote attacker to gain unauthorized access to protected information. The software stores sensitive information in cleartext within a resource that might be accessible to another control sphere. **Recommendations** For IBM Security Guardium Big Data Intelligence version 4.0, consider restricting access to the resource that stores sensitive information in cleartext to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Key Lifecycle Manager versions 2.6 through 3.0.1 **Description** The issue discloses sensitive information to unauthorized users, which can be used to mount further attacks on the system. **Recommendations** For versions 2.6 through 3.0.1, update to a version that addresses the sensitive information disclosure issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence version 4.0 (SonarG) **Description** The issue is related to an inadequate account lockout setting, which could allow a remote attacker to brute force account credentials. **Recommendations** For IBM Security Guardium Big Data Intelligence version 4.0 (SonarG), consider implementing a more robust account lockout policy to prevent brute-force attacks. As a temporary workaround, restrict access to sensitive areas of the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence version 4.0 (SonarG) **Description** The issue is related to improper restriction of resource requests, allowing an actor to consume more resources than intended. **Recommendations** For IBM Security Guardium Big Data Intelligence version 4.0 (SonarG), at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium Big Data Intelligence version 4.0 **Description** The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. **Recommendations** For IBM Security Guardium Big Data Intelligence version 4.0, consider disabling XML data processing until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. As a temporary workaround, limit the consumption of memory resources to prevent potential denial-of-service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM QRadar SIEM versions 7.2 through 7.3 Description: The issue allows a security-critical resource to be read or modified by unintended actors due to improper permission specifications. Recommendations: For IBM QRadar SIEM versions 7.2 through 7.3, update the permission settings for the security-critical resource to prevent unintended access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM QRadar SIEM versions 7.2 through 7.3 **Description** A local user could obtain sensitive information when exporting content, which could aid an attacker in further attacks against the system. **Recommendations** For versions 7.2 and 7.3, update to a version that includes the fix for this issue to prevent local users from obtaining sensitive information.

Name of the Vulnerable Software and Affected Versions: IBM QRadar SIEM versions 7.2 through 7.3 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. Recommendations: For versions 7.2 and 7.3, update to a version that includes a fix for this issue to prevent cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** IBM Security Information Queue (ISIQ) versions 1.0.0 through 1.0.2 **Description** The issue discloses sensitive information to unauthorized users, which can be used to mount further attacks on the system. **Recommendations** For versions 1.0.0 through 1.0.2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM Security Information Queue (ISIQ) versions 1.0.0 through 1.0.2 **Description** The issue allows web pages to be stored locally, which can then be read by another user on the system. **Recommendations** For versions 1.0.0 through 1.0.2, consider restricting access to sensitive web pages to minimize the risk of unauthorized reading. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM Security Information Queue (ISIQ) versions 1.0.0 through 1.0.2 **Description** The issue generates an error message that includes sensitive information, which could be used in further attacks against the system. **Recommendations** For versions 1.0.0 through 1.0.2, consider restricting access to error messages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Information Queue (ISIQ) versions 1.0.0 through 1.0.2 **Description** A remote attacker could hijack the clicking action of a victim by persuading them to visit a malicious Web site, potentially launching further attacks against the victim. **Recommendations** For versions 1.0.0 through 1.0.2, consider restricting access to potentially malicious Web sites to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM QRadar SIEM versions 7.2 through 7.3 **Description** The issue concerns the use of weaker than expected cryptographic algorithms, which could allow an attacker to decrypt highly sensitive information. **Recommendations** For IBM QRadar SIEM versions 7.2 through 7.3, consider updating the cryptographic algorithms to stronger ones to prevent potential decryption of sensitive information by an attacker. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Identity Manager version 7.0.1 **Description** The issue allows a remote attacker to exploit the vulnerability to expose sensitive information or consume memory resources through a XML External Entity Injection (XXE) attack when processing XML data. **Recommendations** For IBM Security Identity Manager version 7.0.1, update to a version that includes a fix for this issue to prevent XXE attacks. As a temporary workaround, consider restricting XML data processing to minimize the risk of exploitation.