Filtered by vendor Bmc
Subscriptions
Total
84 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2008-5982 | 1 Bmc | 1 Patrol Agent | 2026-04-23 | N/A |
| Format string vulnerability in BMC PATROL Agent before 3.7.30 allows remote attackers to execute arbitrary code via format string specifiers in an invalid version number to TCP port 3181, which are not properly handled when writing a log message. | ||||
| CVE-2007-2136 | 1 Bmc | 1 Patrol Perform Agent | 2026-04-23 | N/A |
| Stack-based buffer overflow in bgs_sdservice.exe in BMC Patrol PerformAgent allows remote attackers to execute arbitrary code by connecting to TCP port 10128 and sending certain XDR data, which is not properly parsed. | ||||
| CVE-2007-0310 | 1 Bmc | 1 Remedy Action Request System | 2026-04-23 | N/A |
| BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid account names. | ||||
| CVE-2007-1972 | 1 Bmc | 1 Performance Manager | 2026-04-23 | N/A |
| PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which allows remote attackers to execute arbitrary code via a request on TCP port 3181 for modification of the masterAgentName and masterAgentStartLine SNMP parameters. NOTE: the vendor disputes this vulnerability, stating that it does not exist when the system is properly configured | ||||
| CVE-2025-71259 | 1 Bmc | 2 Footprints, Footprints Itsm | 2026-04-22 | 4.3 Medium |
| BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. | ||||
| CVE-2025-71260 | 1 Bmc | 2 Footprints, Footprints Itsm | 2026-04-22 | 8.8 High |
| BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. | ||||
| CVE-2025-71258 | 1 Bmc | 2 Footprints, Footprints Itsm | 2026-04-22 | 4.3 Medium |
| BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. | ||||
| CVE-2025-71257 | 1 Bmc | 2 Footprints, Footprints Itsm | 2026-04-22 | 7.3 High |
| BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. | ||||
| CVE-1999-1459 | 1 Bmc | 1 Patrol Agent | 2026-04-16 | N/A |
| BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. | ||||
| CVE-1999-0443 | 1 Bmc | 1 Patrol Agent | 2026-04-16 | N/A |
| Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. | ||||
| CVE-1999-1460 | 1 Bmc | 1 Patrol Agent | 2026-04-16 | N/A |
| BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. | ||||
| CVE-1999-0801 | 1 Bmc | 1 Patrol Agent | 2026-04-16 | N/A |
| BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. | ||||
| CVE-1999-0921 | 1 Bmc | 1 Patrol Agent | 2026-04-16 | N/A |
| BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. | ||||
| CVE-2005-3311 | 1 Bmc | 1 Software Control-m Agent | 2026-04-16 | N/A |
| BMC Software Control-M 6.1.03 for Solaris, and possibly other platforms, allows local users to overwrite arbitrary files via a symlink attack on temporary files. | ||||
| CVE-2026-23780 | 1 Bmc | 1 Control-m | 2026-04-15 | 8.8 High |
| An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution. | ||||
| CVE-2026-23782 | 1 Bmc | 1 Control-m | 2026-04-15 | 7.5 High |
| An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access. | ||||
| CVE-2026-23781 | 1 Bmc | 1 Control-m | 2026-04-15 | 9.8 Critical |
| An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface. | ||||
| CVE-2025-55114 | 1 Bmc | 1 Control-m/agent | 2026-04-15 | 5.3 Medium |
| The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion. | ||||
| CVE-2025-55108 | 1 Bmc | 1 Control-m/agent | 2026-04-15 | 10 Critical |
| The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS | ||||
| CVE-2024-58298 | 1 Bmc | 1 Compuware Istrobe Web | 2026-04-15 | N/A |
| Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | ||||