IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

IBM Verify Identity Access Digital Credentials 24.06 could allow an authenticated user to crash the service with a specially crafted POST request.

IBM Verify Identity Access Digital Credentials 24.06 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.