GCVE - cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Bmc (`41db0501-28a3-55f2-9e02-2ebb9bfb3ab9`)
Product	Control M (`83b3dccc-97b3-52b2-ab3a-c8ebb9727ae7`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-48709`	vulnerable	2026-06-03 15:01:35.178217	BMC Control-M/Server cleartext database credentials in process lists and logs LOW (3.8) BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307. Published: 2025-08-07T00:00:00.000Z Updated: 2025-12-01T21:57:06.906Z Open on db.gcve.eu Reference links https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1606`	vulnerable	2026-06-03 14:54:34.027734	HTML injection in BMC Control-M MEDIUM (4.6) Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. Published: 2024-03-18T10:00:05.221Z Updated: 2024-08-27T20:06:28.801Z Open on db.gcve.eu Reference links https://cert.pl/posts/2024/03/CVE-2024-1604 https://cert.pl/en/posts/2024/03/CVE-2024-1604 https://www.bmc.com/it-solutions/control-m.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1605`	vulnerable	2026-06-03 14:54:34.026119	DLL side-loading in BMC Control-M MEDIUM (6.6) BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. Published: 2024-03-18T09:59:49.339Z Updated: 2025-04-10T20:26:19.226Z Open on db.gcve.eu Reference links https://cert.pl/posts/2024/03/CVE-2024-1604 https://cert.pl/en/posts/2024/03/CVE-2024-1604 https://www.bmc.com/it-solutions/control-m.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1604`	vulnerable	2026-06-03 14:54:34.025630	Incorrect authorization in BMC Control-M MEDIUM (6.4) Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. Published: 2024-03-18T09:59:35.514Z Updated: 2024-10-10T15:36:14.867Z Open on db.gcve.eu Reference links https://cert.pl/posts/2024/03/CVE-2024-1604 https://cert.pl/en/posts/2024/03/CVE-2024-1604 https://www.bmc.com/it-solutions/control-m.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-39122`	vulnerable	2026-06-03 14:52:37.789029	Details available BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200). Published: 2023-07-31T00:00:00.000Z Updated: 2024-10-22T15:35:35.161Z Open on db.gcve.eu Reference links https://github.com/DojoSecurity/BMC-Control-M-Unauthenticated-SQL-Injection	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-26550`	vulnerable	2026-06-03 14:51:00.022104	Details available A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field. Published: 2023-02-25T00:00:00.000Z Updated: 2025-03-11T20:29:33.947Z Open on db.gcve.eu Reference links https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-ControlM-Multiple-Vulnerabilities.pdf	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.