CVE-2012-4840
CVE-2012-4840 is a medium-severity vulnerability in Ibm Cognos Business Intelligence with a CVSS 2.0 base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Medium (CVSS 2.0 base score 5.0)
- EPSS exploit prediction: 1% (67th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-94
- Affected product: Ibm Cognos Business Intelligence
- Published:
- Last modified:
Description
IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows remote attackers to conduct XPath injection attacks, and call XPath extension functions, via unspecified vectors.
Frequently asked questions
- What is CVE-2012-4840?
- IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows remote attackers to conduct XPath injection attacks, and call XPath extension functions, via unspecified vectors.
- How severe is CVE-2012-4840?
- CVE-2012-4840 has a CVSS 2.0 base score of 5.0, rated medium severity.
- Is CVE-2012-4840 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (67th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2012-4840?
- CVE-2012-4840 primarily affects Ibm Cognos Business Intelligence. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2012-4840?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2012-4840 published?
- CVE-2012-4840 was published on 2013-03-05 and last updated on 2026-06-16.
References
- http://www-01.ibm.com/support/docview.wss?uid=swg21626697
- http://www-01.ibm.com/support/docview.wss?uid=swg24034373
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79116
Affected products (4)
- cpe:2.3:a:ibm:cognos_business_intelligence:8.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cognos_business_intelligence:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cognos_business_intelligence:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:*
More vulnerabilities in Ibm Cognos Business Intelligence
- CVE-2012-4858 — Critical (CVSS 9.3): IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 does…
- CVE-2018-1934 — High (CVSS 8.8): IBM Cognos Business Intelligence 10.2.2 is vulnerable to cross-site request forgery which could allow an attacker to…
- CVE-2016-8960 — High (CVSS 8.8): IBM Cognos Business Intelligence 10.2 could allow a user with lower privilege Capabilities to adopt the Capabilities of…
- CVE-2016-3036 — High (CVSS 7.5): IBM Cognos TM1 10.1 and 10.2 is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing…
- CVE-2017-1764 — High (CVSS 7.0): IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2, under specialized circumstances, could expose…
- CVE-2016-0254 — Medium (CVSS 6.5): IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity…
All CVEs affecting Ibm Cognos Business Intelligence →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.