A. Kolmann - Security Researcher - Exploit Intelligence Platform

CVE-2014-0864 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Cross-Site Request Forgery via Crafted XML Document

Multiple cross-site request forgery (CSRF) vulnerabilities in Executer in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to hijack the authentication of arbitrary users for requests that change (1) a deal's currency or (2) a limit via a crafted XML document.

View Code

CVE-2014-0865 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Authenticated Data Modification via Serialized Object Injection

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics relies on client-side input validation, which allows remote authenticated users to bypass intended dual-control restrictions and modify data via crafted serialized objects, as demonstrated by limit manipulations.

View Code

CVE-2014-0866 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Cleartext Credential Transmission

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics sends cleartext credentials over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network.

View Code

CVE-2014-0867 EXPLOITDB WRITEUP

IBM Algorithmics <4.7.0.03 FP5 - XSS

rcore6/main/addcookie.jsp in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to create or modify cookies via the query string.

View Code

CVE-2014-0868 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Authenticated Data Modification via Crafted XML Document

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics relies on client-side input validation, which allows remote authenticated users to bypass intended dual-control restrictions and modify data via a crafted XML document, as demonstrated by manipulation of read-only limit data.

View Code

CVE-2014-0869 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Unauthenticated Password Disclosure via Decrypt Function

The decrypt function in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics does not require a key, which makes it easier for remote attackers to obtain cleartext passwords by sniffing the network and then providing a string argument to this function.

View Code

CVE-2014-0870 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to inject arbitrary web script or HTML via (1) the Message parameter to rcore6/main/showerror.jsp, (2) the ButtonsetClass parameter to rcore6/main/buttonset.jsp, (3) the MBName parameter to rcore6/frameset.jsp, (4) the Init parameter to algopds/rcore6/main/browse.jsp, or the (5) Name, (6) StoreName, or (7) STYLESHEET parameter to algopds/rcore6/main/ibrowseheader.jsp.

View Code

CVE-2014-0871 EXPLOITDB WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Exposure of Sensitive Information via Non-Printing Cookie Characters

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to obtain potentially sensitive Tomcat stack-trace information via non-printing characters in a cookie to the /classes/ URI, as demonstrated by the \x00 character.

View Code

CVE-2014-0894 EXPLOITDB text WRITEUP

IBM Algo Credit Limits 4.5.0-4.7.0 - Exposure of Sensitive Information via XML Document

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and DbPass fields in an XML document.

View Code