Filtered by vendor Bmc
Subscriptions
Filtered by product Control-m
Subscriptions
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48709 | 1 Bmc | 1 Control-m | 2025-08-12 | 9.8 Critical |
| An issue was discovered in BMC Control-M 9.0.21.300. When Control-M Server has a database connection, it runs DBUStatus.exe frequently, which then calls dbu_connection_details.vbs with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. | ||||
| CVE-2024-1605 | 1 Bmc | 1 Control-m | 2025-07-12 | 6.6 Medium |
| BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. | ||||
| CVE-2024-1606 | 1 Bmc | 1 Control-m | 2025-07-12 | 4.6 Medium |
| Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. | ||||
| CVE-2023-26550 | 1 Bmc | 1 Control-m | 2025-03-11 | 9.8 Critical |
| A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field. | ||||
| CVE-2024-1604 | 1 Bmc | 1 Control-m | 2024-11-21 | 6.4 Medium |
| Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. | ||||
| CVE-2023-39122 | 1 Bmc | 1 Control-m | 2024-11-21 | 9.8 Critical |
| BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200). | ||||
Page 1 of 1.