Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 89 |
| CVE-ID | CVE-2022-38473 CVE-2022-29917 CVE-2021-38503 CVE-2022-38477 CVE-2021-38495 CVE-2022-29911 CVE-2022-38472 CVE-2022-22738 CVE-2022-22751 CVE-2022-31737 CVE-2022-38478 CVE-2021-38500 CVE-2021-43542 CVE-2022-28281 CVE-2022-22761 CVE-2021-38504 CVE-2021-43537 CVE-2022-34472 CVE-2022-22742 CVE-2022-26383 CVE-2022-22745 CVE-2022-31742 CVE-2022-1802 CVE-2021-38493 CVE-2022-29916 CVE-2021-38501 CVE-2022-36318 CVE-2022-2200 CVE-2022-34479 CVE-2022-29914 CVE-2022-31738 CVE-2021-43538 CVE-2022-1097 CVE-2022-22741 CVE-2022-26387 CVE-2022-22747 CVE-2022-22760 CVE-2022-26381 CVE-2022-28286 CVE-2022-29912 CVE-2022-42927 CVE-2022-26386 CVE-2021-38509 CVE-2022-42932 CVE-2022-22763 CVE-2022-31736 CVE-2022-40959 CVE-2021-43545 CVE-2022-40958 CVE-2022-1529 CVE-2022-42929 CVE-2021-43543 CVE-2022-36319 CVE-2022-29909 CVE-2022-28289 CVE-2022-22764 CVE-2022-22759 CVE-2022-26485 CVE-2022-1196 CVE-2021-38498 CVE-2022-22737 CVE-2022-40960 CVE-2022-34484 CVE-2021-43539 CVE-2022-22739 CVE-2022-42928 CVE-2021-43536 CVE-2022-22743 CVE-2021-43541 CVE-2022-26486 CVE-2022-40956 CVE-2022-26384 CVE-2022-34470 CVE-2022-34481 CVE-2022-31747 CVE-2022-38476 CVE-2022-24713 CVE-2022-28282 CVE-2021-38507 CVE-2022-40962 CVE-2022-28285 CVE-2021-43546 CVE-2022-31741 CVE-2022-34468 CVE-2021-38508 CVE-2021-4140 CVE-2021-38506 CVE-2021-38497 CVE-2022-22740 |
| CWE-ID | CWE-264 CWE-119 CWE-254 CWE-451 CWE-122 CWE-787 CWE-200 CWE-416 CWE-704 CWE-388 CWE-357 CWE-94 CWE-79 CWE-1021 CWE-367 CWE-20 CWE-284 CWE-664 CWE-835 CWE-399 CWE-190 CWE-400 CWE-457 CWE-346 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #14 is available. Public exploit code for vulnerability #23 is available. Vulnerability #58 is being exploited in the wild. Vulnerability #70 is being exploited in the wild. Public exploit code for vulnerability #78 is available. |
| Vulnerable software Subscribe |
IBM Cloud Pak for Multicloud Management Monitoring Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 89 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU66720
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-38473
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrectly imposed security restrictions on a cross-origin iframe referencing an XSLT document. A remote attacker can trick the victim to visit a specially crafted website and inherit the parent domain's permissions to access microphone or camera.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU62763
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29917
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security features bypass
EUVDB-ID: #VU57876
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38503
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the iframe sandbox rules were not correctly applied to XSLT stylesheets. A remote attacker can load use an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU66723
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-38477
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU56376
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38495
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security features bypass
EUVDB-ID: #VU62759
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29911
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper protection for the top-level navigation for an iframe sandbox with a policy relaxed through a keyword like allow-top-navigation-by-user-activation. A remote attacker can abuse this to bypass implemented sandboxing restrictions of loaded iframes.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Spoofing attack
EUVDB-ID: #VU66719
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-38472
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of XSLT errors. A remote attacker can spoof the address bar and trick the user into submitting data intended for the spoofed origin.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU59371
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22738
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in blendGaussianBlur when applying CSS filter. A remote attacker can trick the victim to open a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU59382
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22751
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU63873
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31737
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in WebGL when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU66724
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-38478
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory corruption
EUVDB-ID: #VU57065
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38500
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger a memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Information disclosure
EUVDB-ID: #VU58612
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43542
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way Firefox handles XMLHttpRequest requests. A remote attacker can initiate a XMLHttpRequest and identify installed applications by probing error messages for loading external protocols.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Out-of-bounds write
EUVDB-ID: #VU61885
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-28281
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when handling an unexpected number of WebAuthN Extensions in a Register command to the parent process. A remote attacker can create a specially crafted web page, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
15) Security features bypass
EUVDB-ID: #VU60411
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22761
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform unauthorized actions.
The vulnerability exists due to frame-ancestors Content Security Policy directive was not enforced for framed extension pages (pages with a moz-extension:// scheme). A remote attacker perform unauthorized actions.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use-after-free
EUVDB-ID: #VU57878
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38504
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when interacting with an HTML input element's file picker dialog with webkitdirectory set. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Type conversion
EUVDB-ID: #VU58586
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43537
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a type conversion error when processing sizes from 64bit to 32bit integers when using structured clone. A remote attacker can trick the victim to visit a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the system.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Error Handling
EUVDB-ID: #VU64760
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34472
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to influence browser behavior.
The vulnerability exists due to improper error handling when processing unavailable PAC file. If a PAC URL is set and the server that hosts the PAC is unreachable, OCSP requests are blocked, resulting in incorrect error pages being shown.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds write
EUVDB-ID: #VU59368
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22742
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input, when inserting text while in edit mode. A remote attacker can create a specially crafted website, trick the victim into opening it and insert specially crafted input in the edit mode, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU61102
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26383
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when resizing a popup after requesting fullscreen access. The popup would not display the fullscreen notification, which allows a remote attacker to perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Information disclosure
EUVDB-ID: #VU59377
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22745
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Securitypolicyviolation events leak cross-origin information for frame-ancestors violations. A remote attacker can gain access to sensitive data.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU63878
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31742
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling a large number of allowCredential entries. A remote attacker can trick the victim to visit a specially crafted website, launch a timing attack and detect the difference between invalid key handles and cross-origin key handles. Successful exploitation of the vulnerability can lead to cross-origin account linking in violation of WebAuthn goals.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Code Injection
EUVDB-ID: #VU63501
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-1802
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to prototype pollution in Top-Level Await implementation. A remote attacker can trick the victim to visit a specially crafted website, corrupt the methods of an Array object in JavaScript via prototype pollution and execute arbitrary JavaScript code in a privileged context.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
24) Buffer overflow
EUVDB-ID: #VU56374
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38493
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Information disclosure
EUVDB-ID: #VU62758
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29916
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to browsers behaves differently when loading CSS from known resources involving CSS variables. A remote attacker can monitor browser behavior to guess which websites were previously visited and are stored in browser history.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Buffer overflow
EUVDB-ID: #VU57068
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38501
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Cross-site scripting
EUVDB-ID: #VU65795
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36318
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when visiting directory listings for chrome:// URLs as source text. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Code Injection
EUVDB-ID: #VU64762
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2200
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation when handling JavaScript attributes. A remote attacker can pass undesired attributes to JavaScript object and perform prototype pollution and execute arbitrary JavaScript code in the browser.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU64750
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34479
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper handling of resizing event for a popup window. A remote attacker can create a specially crafted website that can create a resized popup to overlay the address bar with its own content and perform spoofing attack.
Note, the vulnerability affects Linux installations only.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Insufficient UI warning of dangerous operations
EUVDB-ID: #VU62756
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29914
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when reusing existing popups. A remote attacker can trick the victim to visit a specially crated website and abuse the popups to cover the fullscreen notification UI, which can allow browser spoofing attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Spoofing attack
EUVDB-ID: #VU63874
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31738
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when exiting fullscreen mode. A remote attacker can use an iframe to confused the browser about the current state of fullscreen and perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Spoofing attack
EUVDB-ID: #VU58607
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43538
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a race in notification code. A remote attacker can hide the notification for pages that had received full screen and pointer lock access. Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Use-after-free
EUVDB-ID: #VU61884
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1097
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling NSSToken objects. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU59369
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22741
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error resizing a popup while requesting fullscreen access. A remote attacker can
trick the victim to open a specially crafted web page, and make the
browser unable to leave fullscreen mode.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU61104
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26387
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a race condition when verifying signatures during Firefox add-on installation. A remote attacker can replace the underlying add-on file while the user was confirming the prompt and install a malicious add-on on the system.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Input validation error
EUVDB-ID: #VU59379
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22747
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of empty pkcs7 sequence, passed as part of the certificate data. A remote attacker can pass specially crafted certificate to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Information disclosure
EUVDB-ID: #VU60409
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22760
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way Firefox displays error messages in cross-origin responses, when importing resources using Web Workers. A remote attacker can distinguish the difference between application/javascript responses and non-script responses and learn information cross-origin.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Use-after-free
EUVDB-ID: #VU61105
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26381
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content A remote attacker can trigger a use-after-free by forcing a text reflow in an SVG object and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Spoofing attack
EUVDB-ID: #VU61890
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28286
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. Due to a layout change, iframe contents can be rendered outside of its border. A remote attacker can spoof page content.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Security features bypass
EUVDB-ID: #VU62760
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29912
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to requests initiated through reader mode did not properly omit cookies with a SameSite attribute. A remote attacker can intercept cookies with SameSite attribute set.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Security features bypass
EUVDB-ID: #VU68405
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42927
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to same-origin policy violation in the performance.getEntries() method. A remote attacker can trick the victim to open a specially crafted website and gain obtain cross-origin URL entries.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Improper access control
EUVDB-ID: #VU61109
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26386
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to victim's downloads.
The vulnerability exists due to browser stores files in the /tmp folder, which is accessible by all local users. A local user can read files from this folder and gain access to potentially sensitive information.
Note, the vulnerability affects Firefox ESR on macOS and Linux.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU57883
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38509
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of an unusual sequence of attacker-controlled events. A remote attacker can display a Javascript alert() dialog with arbitrary (although unstyled) contents over top of arbitrary webpage of the attacker's choosing.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Buffer overflow
EUVDB-ID: #VU68408
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42932
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
45) Improper control of a resource through its lifetime
EUVDB-ID: #VU60414
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22763
CWE-ID:
CWE-664 - Improper control of a resource through its lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling script execution during invalid object state. A remote attacker can cause a script to run late in the lifecycle, at a point after where it should not be possible.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
46) Information disclosure
EUVDB-ID: #VU63872
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31736
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when processing HTTP requests. A malicious website can obtain the size of a cross-origin resource that supported Range requests. MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
47) Security features bypass
EUVDB-ID: #VU67500
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40959
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect initialization of FeaturePolicy on all pages during iframe navigation. A remote attacker can trick the victim to open a specially crafted website, bypass FeaturePolicy restrictions and force the browser to leak device permissions into untrusted subdocuments.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
48) Infinite loop
EUVDB-ID: #VU58615
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43545
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when using Location API. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
49) Security features bypass
EUVDB-ID: #VU67502
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40958
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect handling of cookies. A remote attacker with access to a shared subdomain can inject a cookies with certain special characters, bypass Secure Context restriction for cookies with __Host and __Secure prefix and overwrite these cookies, potentially allowing session fixation attacks.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
50) Input validation error
EUVDB-ID: #VU63502
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1529
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the NotificationsDB module. A remote attacker can trick the victim to visit a specially crafted web page, which passes malicious messages to the parent process where the contents is used to double-index into a JavaScript object. As a result, an attacker can perform prototype pollution and execute arbitrary JavaScript code in the privileged parent process.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
51) Resource management error
EUVDB-ID: #VU68407
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42929
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling window.print() events. A remote attacker trick the victim to open a specially crafted website and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
52) Security features bypass
EUVDB-ID: #VU58613
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43543
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling CSP policies. Documents loaded with the CSP sandbox directive can escape the sandbox's script restriction by embedding additional content.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
53) Spoofing attack
EUVDB-ID: #VU65793
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36319
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, related to mouse pointer positioning when combining CSS properties for overflow and transform. A remote attacker can trick the victim into interacting with mouse cursor with different coordinates than displayed.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
54) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU62757
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29909
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due improper management of permissions within the application. Documents in deeply-nested cross-origin browsing contexts can obtain permissions granted to the top-level origin. A remote attacker can create a web page that bypasses the existing browser prompt and wrongfully inherits the top-level permissions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
55) Buffer overflow
EUVDB-ID: #VU61892
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28289
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
56) Buffer overflow
EUVDB-ID: #VU60413
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22764
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
57) Sandbox restrictions bypass
EUVDB-ID: #VU60406
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22759
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the way iframes are handled by the browser. If a document created a sandboxed iframe without allow-scripts,
and subsequently appended an element to the iframe's document that e.g.
had a JavaScript event handler - the event handler would have run
despite the iframe's sandbox.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
58) Use-after-free
EUVDB-ID: #VU61032
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2022-26485
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing XSLT parameter. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
59) Use-after-free
EUVDB-ID: #VU61894
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1196
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content after the VR Process is destroyed. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
60) Use-after-free
EUVDB-ID: #VU57067
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38498
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the nsLanguageAtomService object. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
61) Use-after-free
EUVDB-ID: #VU59372
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22737
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
62) Use-after-free
EUVDB-ID: #VU67501
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40960
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by a concurrent use of the URL parser with non-UTF-8 data. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
63) Buffer overflow
EUVDB-ID: #VU64763
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34484
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
64) Use-after-free
EUVDB-ID: #VU58608
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43539
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in GC rooting when calling wasm instance methods. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
65) Security features bypass
EUVDB-ID: #VU59381
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22739
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to missing throttling on external protocol launch dialog. A malicious websites can trick users into accepting launching a program to handle an external URL protocol.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
66) Buffer overflow
EUVDB-ID: #VU68406
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42928
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Garbage Collector within the JS engine. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
67) Information disclosure
EUVDB-ID: #VU58585
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43536
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to URL leakage when executing asynchronous functions. A remote attacker can trick the victim to open a specially crafted web page and reveal the URL of the page that is being visited afterwards.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
68) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU59367
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22743
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when navigating from inside an iframe while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page, and make the browser unable to leave fullscreen mode.
Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
69) Input validation error
EUVDB-ID: #VU58611
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43541
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling spaces in URLS with external protocol handlers. A remote attacker can trick the victim to click on a specially crafted link and pass unescaped input to a third-party application via URI handler.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
70) Use-after-free
EUVDB-ID: #VU61033
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2022-26486
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing messages in the WebGPU IPC framework. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
71) Security features bypass
EUVDB-ID: #VU67503
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40956
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to some requests may ignore the CSP's base-uri settings when handling HTML base element injection. A remote attacker can force the browser to accept the injected element's base instead of the original code, leading to Content Security Policy bypass.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
72) Security restrictions bypass
EUVDB-ID: #VU61103
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26384
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic error when processing iframes. If an attacker can control the contents of an iframe sandboxed with allow-popups but not allow-scripts, it is possible to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
73) Use-after-free
EUVDB-ID: #VU64751
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34470
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in nsSHistory when handling XML documents. A remote attacker can trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
74) Integer overflow
EUVDB-ID: #VU64756
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34481
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the nsTArray_Impl::ReplaceElementsAt() function. A remote attacker can trick the victim to visit a specially crafted website, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
75) Buffer overflow
EUVDB-ID: #VU63879
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31747
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
76) Use-after-free
EUVDB-ID: #VU66725
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-38476
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a data race within the in the PK11_ChangePW function. A remote attacker can trigger a use-after-free error and crash the browser.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
77) Resource exhaustion
EUVDB-ID: #VU61895
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-24713
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (ReDoS) attack.
The vulnerability exists due regex for Rust does not properly control consumption of internal resources when parsing untrusted input. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
78) Use-after-free
EUVDB-ID: #VU61886
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-28282
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing links with rel="localization". A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
79) Security features bypass
EUVDB-ID: #VU57881
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38507
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining
the visual properties of an HTTP connection, including being
same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser from port 443 to port 8443,
causing the browser to treat the content of port 8443 as same-origin
with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
80) Buffer overflow
EUVDB-ID: #VU67505
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40962
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
81) Resource management error
EUVDB-ID: #VU61889
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28285
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of incorrect AliasSet when generating the assembly code for MLoadTypedArrayElementHole. A remote attacker can abuse this along with another vulnerability to perform an out-of-bounds read.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
82) Spoofing attack
EUVDB-ID: #VU58616
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43546
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data, when native cursor is zoomed. A remote attacker can perform cursor spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
83) Use of Uninitialized Variable
EUVDB-ID: #VU63877
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31741
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
84) Security features bypass
EUVDB-ID: #VU64752
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34468
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper handling of the CSP sandbox header without "allow-scripts" option. A remote attacker use an iframe to bypass implemented CSP restriction and execute scripts if the user clicks on a javascript: link.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
85) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU57882
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38508
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Firefox displays the form validity message in the correct location at the same time as a permission prompt (such as for geolocation). The validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
86) Security features bypass
EUVDB-ID: #VU59373
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-4140
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in iframe sandbox implementation when processing XSLT markup. A remote attacker can bypass iframe sandbox and execute arbitrary JavaScript code in context of arbitrary window.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
87) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU57880
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38506
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to Firefox could have entered fullscreen mode without notification or warning to the user. A remote attacker can perform spoofing attacks on the browser UI.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
88) Origin validation error
EUVDB-ID: #VU57066
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38497
CWE-ID:
CWE-346 - Origin Validation Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, which can cause a plain-text validation message to overlaid on another origin through the use of reportValidity() and window.open(). A remote attacker can perform a spoofing attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
89) Use-after-free
EUVDB-ID: #VU59370
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22740
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in ChannelEventQueue::mOwner when releasing a network request handle. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: before 2.3 Fix Pack 6
External linkshttp://www.ibm.com/support/pages/node/6891067
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
