Search criteria
7608 vulnerabilities
CVE-2025-36419 (GCVE-0-2025-36419)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:53 – Updated: 2026-01-20 16:07
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system.
Severity ?
5.3 (Medium)
CWE
- CWE-550 - Server-generated Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:07:37.381513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:07:57.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:applinx:11.1:*:*:*:*:*:*:*"
],
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-550",
"description": "CWE-550 Server-generated Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:37.574Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36419",
"datePublished": "2026-01-20T15:53:37.574Z",
"dateReserved": "2025-04-15T21:17:01.668Z",
"dateUpdated": "2026-01-20T16:07:57.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36418 (GCVE-0-2025-36418)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:50 – Updated: 2026-01-20 16:09
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges.
Severity ?
7.3 (High)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:09:28.415356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:09:43.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:applinx:11.1:*:*:*:*:*:*:*"
],
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:51:08.237Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36418",
"datePublished": "2026-01-20T15:50:40.562Z",
"dateReserved": "2025-04-15T21:17:01.668Z",
"dateUpdated": "2026-01-20T16:09:43.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36411 (GCVE-0-2025-36411)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:43 – Updated: 2026-01-20 16:04
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:04:45.490199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:04:55.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:48:29.379Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36411",
"datePublished": "2026-01-20T15:43:07.492Z",
"dateReserved": "2025-04-15T21:17:01.665Z",
"dateUpdated": "2026-01-20T16:04:55.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36410 (GCVE-0-2025-36410)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:39 – Updated: 2026-01-20 16:41
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security.
Severity ?
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:40:39.186583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:41:07.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:applinx:11.1:*:*:*:*:*:*:*"
],
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602 Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:39:53.965Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36410",
"datePublished": "2026-01-20T15:39:53.965Z",
"dateReserved": "2025-04-15T21:17:01.665Z",
"dateUpdated": "2026-01-20T16:41:07.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36409 (GCVE-0-2025-36409)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:37 – Updated: 2026-01-20 16:38
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:37:26.475173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:38:27.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:applinx:11.1:*:*:*:*:*:*:*"
],
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:37:56.120Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36409",
"datePublished": "2026-01-20T15:37:56.120Z",
"dateReserved": "2025-04-15T21:17:00.496Z",
"dateUpdated": "2026-01-20T16:38:27.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36408 (GCVE-0-2025-36408)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:33 – Updated: 2026-01-20 16:35
VLAI?
Title
Multiple vulnerabilities found in IBM ApplinX.
Summary
IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:34:11.388555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:35:00.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:applinx:11.1:*:*:*:*:*:*:*"
],
"product": "ApplinX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:35:52.239Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257446"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here .\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading IBM ApplinX. Product Version Remediation/Fix IBM ApplinX 11.1 Download and apply the update from Fix Central here ."
}
],
"title": "Multiple vulnerabilities found in IBM ApplinX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36408",
"datePublished": "2026-01-20T15:33:59.216Z",
"dateReserved": "2025-04-15T21:17:00.496Z",
"dateUpdated": "2026-01-20T16:35:00.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36397 (GCVE-0-2025-36397)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:23 – Updated: 2026-01-20 15:47
VLAI?
Title
Security vulnerabilities have been found in IBM Application Gateway
Summary
IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Severity ?
5.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Application Gateway |
Affected:
23.10 , ≤ 25.09
(semver)
cpe:2.3:a:ibm:application_gateway:23.10:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:23.10.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:25.09:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:25.09.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36397",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:47:02.680173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:47:24.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:application_gateway:23.10:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:23.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:25.09:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:25.09.0:*:*:*:*:*:*:*"
],
"product": "Application Gateway",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.09",
"status": "affected",
"version": "23.10",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site.\u003c/p\u003e"
}
],
"value": "IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:23:30.652Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256857"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eIBM encourages all customers to update their systems promptly.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIBM Application Gateway (Container):\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eObtain the latest version of the container by running this command (without quotation marks):\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u201cdocker pull icr.io/ibmappgateway/ibm-application-gateway:[tag]\u201d \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere [tag] is the latest published version and can be confirmed \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.verify.ibm.com/gateway/docs/containers\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM encourages all customers to update their systems promptly.\n\nIBM Application Gateway (Container):\n\nObtain the latest version of the container by running this command (without quotation marks):\n\u00a0 \u00a0 \u201cdocker pull icr.io/ibmappgateway/ibm-application-gateway:[tag]\u201d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\n\nWhere [tag] is the latest published version and can be confirmed here https://docs.verify.ibm.com/gateway/docs/containers ."
}
],
"title": "Security vulnerabilities have been found in IBM Application Gateway",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36397",
"datePublished": "2026-01-20T15:23:30.652Z",
"dateReserved": "2025-04-15T21:16:59.139Z",
"dateUpdated": "2026-01-20T15:47:24.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36396 (GCVE-0-2025-36396)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:22 – Updated: 2026-01-20 15:48
VLAI?
Title
Security vulnerabilities have been found in IBM Application Gateway
Summary
IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Application Gateway |
Affected:
23.10 , ≤ 25.09
(semver)
cpe:2.3:a:ibm:application_gateway:23.10:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:23.10.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:25.09:*:*:*:*:*:*:* cpe:2.3:a:ibm:application_gateway:25.09.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:48:30.971696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:48:51.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:application_gateway:23.10:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:23.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:25.09:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:application_gateway:25.09.0:*:*:*:*:*:*:*"
],
"product": "Application Gateway",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.09",
"status": "affected",
"version": "23.10",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:22:11.780Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256857"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eIBM encourages all customers to update their systems promptly.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIBM Application Gateway (Container):\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eObtain the latest version of the container by running this command (without quotation marks):\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u201cdocker pull icr.io/ibmappgateway/ibm-application-gateway:[tag]\u201d \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere [tag] is the latest published version and can be confirmed \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.verify.ibm.com/gateway/docs/containers\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM encourages all customers to update their systems promptly.\n\nIBM Application Gateway (Container):\n\nObtain the latest version of the container by running this command (without quotation marks):\n\u00a0 \u00a0 \u201cdocker pull icr.io/ibmappgateway/ibm-application-gateway:[tag]\u201d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\n\nWhere [tag] is the latest published version and can be confirmed here https://docs.verify.ibm.com/gateway/docs/containers ."
}
],
"title": "Security vulnerabilities have been found in IBM Application Gateway",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36396",
"datePublished": "2026-01-20T15:22:11.780Z",
"dateReserved": "2025-04-15T21:16:59.139Z",
"dateUpdated": "2026-01-20T15:48:51.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36115 (GCVE-0-2025-36115)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:18 – Updated: 2026-01-20 15:51
VLAI?
Title
Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.
Summary
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.
Severity ?
6.3 (Medium)
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 |
Affected:
5.2.0.00 , ≤ 5.2.0.12
(semver)
cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:51:26.339222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:51:47.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:*"
],
"product": "Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.2.0.12",
"status": "affected",
"version": "5.2.0.00",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:18:17.680Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in release\u003c/td\u003e\u003ctd\u003eInstructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0\u003c/td\u003e\u003ctd\u003e5.2.0.13\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/Sterling+Connect%3AExpress+Adapter+for+Sterling+B2B+Integrator\u0026amp;release=5.2.0.13\u0026amp;platform=All\u0026amp;function=all\"\u003eIBM Support: Fix Central - Select fixes\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.2.0.13-Other-software-Sterling-Connect.Express.Adapter.for.Sterling.B2B.Integrator-fp0013\u0026amp;continue=1\"\u003e\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u0026nbsp;\u003c/div\u003e"
}
],
"value": "Affected Product(s)Fixed in releaseInstructionsSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.05.2.0.13 IBM Support: Fix Central - Select fixes https://www.ibm.com/support/fixcentral/swg/selectFixes https://www.ibm.com/support/fixcentral/swg/doSelectFixes"
}
],
"title": "Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36115",
"datePublished": "2026-01-20T15:18:17.680Z",
"dateReserved": "2025-04-15T21:16:17.124Z",
"dateUpdated": "2026-01-20T15:51:47.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36113 (GCVE-0-2025-36113)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:15 – Updated: 2026-01-20 15:34
VLAI?
Title
Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.
Summary
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 |
Affected:
5.2.0.00 , ≤ 5.2.0.12
(semver)
cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:33:36.308810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:34:16.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:*"
],
"product": "Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.2.0.12",
"status": "affected",
"version": "5.2.0.00",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:15:55.890Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in release\u003c/td\u003e\u003ctd\u003eInstructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0\u003c/td\u003e\u003ctd\u003e5.2.0.13\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/Sterling+Connect%3AExpress+Adapter+for+Sterling+B2B+Integrator\u0026amp;release=5.2.0.13\u0026amp;platform=All\u0026amp;function=all\"\u003eIBM Support: Fix Central - Select fixes\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.2.0.13-Other-software-Sterling-Connect.Express.Adapter.for.Sterling.B2B.Integrator-fp0013\u0026amp;continue=1\"\u003e\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in releaseInstructionsSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.05.2.0.13 IBM Support: Fix Central - Select fixes https://www.ibm.com/support/fixcentral/swg/selectFixes https://www.ibm.com/support/fixcentral/swg/doSelectFixes"
}
],
"title": "Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36113",
"datePublished": "2026-01-20T15:15:55.890Z",
"dateReserved": "2025-04-15T21:16:17.123Z",
"dateUpdated": "2026-01-20T15:34:16.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36066 (GCVE-0-2025-36066)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:14 – Updated: 2026-01-20 15:36
VLAI?
Title
Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.
Summary
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 |
Affected:
5.2.0.00 , ≤ 5.2.0.12
(semver)
cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:35:41.325034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:36:00.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:*"
],
"product": "Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.2.0.12",
"status": "affected",
"version": "5.2.0.00",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:14:03.557Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in release\u003c/td\u003e\u003ctd\u003eInstructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0\u003c/td\u003e\u003ctd\u003e5.2.0.13\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/Sterling+Connect%3AExpress+Adapter+for+Sterling+B2B+Integrator\u0026amp;release=5.2.0.13\u0026amp;platform=All\u0026amp;function=all\"\u003eIBM Support: Fix Central - Select fixes\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in releaseInstructionsSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.05.2.0.13 IBM Support: Fix Central - Select fixes https://www.ibm.com/support/fixcentral/swg/selectFixes"
}
],
"title": "Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36066",
"datePublished": "2026-01-20T15:14:03.557Z",
"dateReserved": "2025-04-15T21:16:12.197Z",
"dateUpdated": "2026-01-20T15:36:00.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36065 (GCVE-0-2025-36065)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:12 – Updated: 2026-01-20 15:38
VLAI?
Title
Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.
Summary
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 |
Affected:
5.2.0.00 , ≤ 5.2.0.12
(semver)
cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:37:51.256058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:38:07.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:*"
],
"product": "Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.2.0.12",
"status": "affected",
"version": "5.2.0.00",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:12:47.078Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in release\u003c/td\u003e\u003ctd\u003eInstructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0\u003c/td\u003e\u003ctd\u003e5.2.0.13\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/Sterling+Connect%3AExpress+Adapter+for+Sterling+B2B+Integrator\u0026amp;release=5.2.0.13\u0026amp;platform=All\u0026amp;function=all\"\u003eIBM Support: Fix Central - Select fixes\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in releaseInstructionsSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.05.2.0.13 IBM Support: Fix Central - Select fixes https://www.ibm.com/support/fixcentral/swg/selectFixes"
}
],
"title": "Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36065",
"datePublished": "2026-01-20T15:12:47.078Z",
"dateReserved": "2025-04-15T21:16:12.197Z",
"dateUpdated": "2026-01-20T15:38:07.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36063 (GCVE-0-2025-36063)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:10 – Updated: 2026-01-20 15:39
VLAI?
Title
Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.
Summary
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 |
Affected:
5.2.0.00 , ≤ 5.2.0.12
(semver)
cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:39:28.949190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:39:45.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.00:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectexpress_adapter_for_sterling_b2b_integrator_520:5.2.0.12:*:*:*:*:*:*:*"
],
"product": "Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.2.0.12",
"status": "affected",
"version": "5.2.0.00",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:10:57.747Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in release\u003c/td\u003e\u003ctd\u003eInstructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0\u003c/td\u003e\u003ctd\u003e5.2.0.13\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/Sterling+Connect%3AExpress+Adapter+for+Sterling+B2B+Integrator\u0026amp;release=5.2.0.13\u0026amp;platform=All\u0026amp;function=all\"\u003eIBM Support: Fix Central - Select fixes\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.2.0.13-Other-software-Sterling-Connect.Express.Adapter.for.Sterling.B2B.Integrator-fp0013\u0026amp;continue=1\"\u003e\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u0026nbsp;\u003c/div\u003e"
}
],
"value": "Affected Product(s)Fixed in releaseInstructionsSterling Connect:Express Adapter for Sterling B2B Integrator 5.2.05.2.0.13 IBM Support: Fix Central - Select fixes https://www.ibm.com/support/fixcentral/swg/selectFixes https://www.ibm.com/support/fixcentral/swg/doSelectFixes"
}
],
"title": "Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36063",
"datePublished": "2026-01-20T15:10:57.747Z",
"dateReserved": "2025-04-15T21:16:12.197Z",
"dateUpdated": "2026-01-20T15:39:45.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36058 (GCVE-0-2025-36058)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:09 – Updated: 2026-01-20 15:53
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
Severity ?
5.5 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:53:03.007740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:09:18.288Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36058",
"datePublished": "2026-01-20T15:09:07.082Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:53:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36059 (GCVE-0-2025-36059)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:07 – Updated: 2026-01-20 15:54
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.
Severity ?
4.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:54:23.071587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:54:41.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:07:46.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36059",
"datePublished": "2026-01-20T15:07:46.448Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:54:41.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-33015 (GCVE-0-2025-33015)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:04 – Updated: 2026-01-21 04:55
VLAI?
Title
Multiple Vulnerabilities in IBM Concert Software
Summary
IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.
Severity ?
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T04:55:23.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:04:21.300Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257006"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "Multiple Vulnerabilities in IBM Concert Software",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-33015",
"datePublished": "2026-01-20T15:04:21.300Z",
"dateReserved": "2025-04-15T09:48:51.520Z",
"dateUpdated": "2026-01-21T04:55:23.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1722 (GCVE-0-2025-1722)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:02 – Updated: 2026-01-20 16:02
VLAI?
Title
Multiple Vulnerabilities in IBM Concert Software
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Severity ?
5.9 (Medium)
CWE
- CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:01:50.422321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:02:13.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-244",
"description": "CWE-244 Improper Clearing of Heap Memory Before Release (\u0027Heap Inspection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:02:41.286Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257006"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "Multiple Vulnerabilities in IBM Concert Software",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1722",
"datePublished": "2026-01-20T15:02:41.286Z",
"dateReserved": "2025-02-26T16:44:33.278Z",
"dateUpdated": "2026-01-20T16:02:13.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1719 (GCVE-0-2025-1719)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:01 – Updated: 2026-01-20 16:00
VLAI?
Title
Multiple Vulnerabilities in IBM Concert Software
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Severity ?
5.9 (Medium)
CWE
- CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:00:24.023146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:00:34.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-244",
"description": "CWE-244 Improper Clearing of Heap Memory Before Release (\u0027Heap Inspection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:01:08.887Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257006"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.2.0. Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "Multiple Vulnerabilities in IBM Concert Software",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1719",
"datePublished": "2026-01-20T15:01:08.887Z",
"dateReserved": "2025-02-26T16:44:30.255Z",
"dateUpdated": "2026-01-20T16:00:34.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14115 (GCVE-0-2025-14115)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:59 – Updated: 2026-01-21 04:55
VLAI?
Title
IBM Sterling Connect:Direct for UNIX Container is affected by vulnerability where hard-coded credentials are embeeded in the product for its internal use.
Summary
IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Severity ?
8.4 (High)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Direct for UNIX Container |
Affected:
6.3.0.0 , ≤ 6.3.0.6 Interim Fix 016
(semver)
Affected: 6.4.0.0 , ≤ 6.4.0.3 Interim Fix 019 (semver) cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.6:interim_fix_016:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.3:interim_fix_019:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T04:55:22.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.6:interim_fix_016:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.3:interim_fix_019:*:*:*:*:*:*"
],
"product": "Sterling Connect:Direct for UNIX Container",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.3.0.6 Interim Fix 016",
"status": "affected",
"version": "6.3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.0.3 Interim Fix 019",
"status": "affected",
"version": "6.4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\u0026nbsp;its own inbound authentication, outbound communication to external components, or encryption of\u0026nbsp;internal data.\u003c/p\u003e"
}
],
"value": "IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\u00a0its own inbound authentication, outbound communication to external components, or encryption of\u00a0internal data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:59:15.938Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7257143"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product."
}
],
"title": "IBM Sterling Connect:Direct for UNIX Container is affected by vulnerability where hard-coded credentials are embeeded in the product for its internal use.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-14115",
"datePublished": "2026-01-20T14:59:15.938Z",
"dateReserved": "2025-12-05T15:14:31.863Z",
"dateUpdated": "2026-01-21T04:55:22.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13925 (GCVE-0-2025-13925)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:56 – Updated: 2026-01-20 15:41
VLAI?
Title
Multiple vulnerabilities in IBM Aspera Console
Summary
IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user.
Severity ?
4.9 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Aspera Console |
Affected:
3.4.7
cpe:2.3:a:ibm:aspera_console:3.4.7:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:41:17.305057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:41:38.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_console:3.4.7:*:*:*:*:*:*:*"
],
"product": "Aspera Console",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "3.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user.\u003c/p\u003e"
}
],
"value": "IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:56:30.671Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256544"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes It is strongly recommended that customers upgrade to the latest version of IBM Aspera Console: Product(s) Fixing VRM Platform Link to Fix IBM Aspera Console 3.4.8 Windows Link IBM Aspera Console 3.4.8 Linux Link\u003c/p\u003e"
}
],
"value": "Remediation/Fixes It is strongly recommended that customers upgrade to the latest version of IBM Aspera Console: Product(s) Fixing VRM Platform Link to Fix IBM Aspera Console 3.4.8 Windows Link IBM Aspera Console 3.4.8 Linux Link"
}
],
"title": "Multiple vulnerabilities in IBM Aspera Console",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13925",
"datePublished": "2026-01-20T14:56:30.671Z",
"dateReserved": "2025-12-02T20:53:59.750Z",
"dateUpdated": "2026-01-20T15:41:38.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12985 (GCVE-0-2025-12985)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:50 – Updated: 2026-01-20 15:10
VLAI?
Title
License Service: Privilege escalation vulnerability
Summary
IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image.
Severity ?
8.4 (High)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | IBM Licensing Operator |
Affected:
9.0.0
Affected: 9.0.1 Affected: 9.1.0 Affected: 9.2.0 cpe:2.3:a:ibm:license_metric_tool:9.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:license_metric_tool:9.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:license_metric_tool:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:license_metric_tool:9.2.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:10:23.287628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:10:40.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:license_metric_tool:9.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:license_metric_tool:9.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:license_metric_tool:9.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:license_metric_tool:9.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "IBM Licensing Operator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.0.0"
},
{
"status": "affected",
"version": "9.0.1"
},
{
"status": "affected",
"version": "9.1.0"
},
{
"status": "affected",
"version": "9.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:50:51.912Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe fix is provided in License Service version 4.2.18.\u003c/div\u003e"
}
],
"value": "The fix is provided in License Service version 4.2.18."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "License Service: Privilege escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-12985",
"datePublished": "2026-01-20T14:50:51.912Z",
"dateReserved": "2025-11-10T22:22:46.883Z",
"dateUpdated": "2026-01-20T15:10:40.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64645 (GCVE-0-2025-64645)
Vulnerability from cvelistv5 – Published: 2025-12-26 14:24 – Updated: 2026-01-20 16:02
VLAI?
Title
Multiple Vulnerabilities in IBM Concert Software.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
Severity ?
7.7 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:27.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:02:20.987Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0\u003c/p\u003e\u003cp\u003eDownload IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://myibm.ibm.com/products-services/containerlibrary\"\u003eICR\u003c/a\u003e) and follow \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\"\u003einstallation instructions\u003c/a\u003e\u0026nbsp;depending on the type of deployment.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0\n\nDownload IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment."
}
],
"title": "Multiple Vulnerabilities in IBM Concert Software.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-64645",
"datePublished": "2025-12-26T14:24:57.880Z",
"dateReserved": "2025-11-06T18:13:00.558Z",
"dateUpdated": "2026-01-20T16:02:20.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36230 (GCVE-0-2025-36230)
Vulnerability from cvelistv5 – Published: 2025-12-26 14:22 – Updated: 2025-12-26 15:14
VLAI?
Title
XSS in IBM Aspera Faspex
Summary
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Severity ?
5.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Aspera Faspex 5 |
Affected:
5.0.0 , ≤ 5.0.14.1
(semver)
cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:13:13.484134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:14:53.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:*"
],
"product": "Aspera Faspex 5",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.0.14.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site.\u003c/p\u003e"
}
],
"value": "IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:22:46.035Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255331"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below. Product Fixing VRM Platform Link to Fix IBM Aspera Faspex 5.0.14.2 Linux click here\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below. Product Fixing VRM Platform Link to Fix IBM Aspera Faspex 5.0.14.2 Linux click here"
}
],
"title": "XSS in IBM Aspera Faspex",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36230",
"datePublished": "2025-12-26T14:22:46.035Z",
"dateReserved": "2025-04-15T21:16:42.824Z",
"dateUpdated": "2025-12-26T15:14:53.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36229 (GCVE-0-2025-36229)
Vulnerability from cvelistv5 – Published: 2025-12-26 14:15 – Updated: 2025-12-26 15:14
VLAI?
Title
Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Aspera Faspex
Summary
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Aspera Faspex 5 |
Affected:
5.0.0 , ≤ 5.0.14.1
(semver)
cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:13:07.014351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:14:58.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:*"
],
"product": "Aspera Faspex 5",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.0.14.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.\u003c/p\u003e"
}
],
"value": "IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:16:29.869Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255331"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.\u003c/div\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below."
}
],
"title": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Aspera Faspex",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36229",
"datePublished": "2025-12-26T14:15:03.417Z",
"dateReserved": "2025-04-15T21:16:41.802Z",
"dateUpdated": "2025-12-26T15:14:58.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36228 (GCVE-0-2025-36228)
Vulnerability from cvelistv5 – Published: 2025-12-26 14:11 – Updated: 2025-12-26 15:15
VLAI?
Title
Incorrect Execution-Assigned Permissions in IBM Aspera Faspex
Summary
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.
Severity ?
CWE
- CWE-279 - Incorrect Execution-Assigned Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Aspera Faspex 5 |
Affected:
5.0.0 , ≤ 5.0.14.1
(semver)
cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:13:00.775886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:15:06.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_faspex_5:5.0.14.1:*:*:*:*:*:*:*"
],
"product": "Aspera Faspex 5",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.0.14.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.\u003c/p\u003e"
}
],
"value": "IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-279",
"description": "CWE-279 Incorrect Execution-Assigned Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:11:45.492Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255331"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below."
}
],
"title": "Incorrect Execution-Assigned Permissions in IBM Aspera Faspex",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36228",
"datePublished": "2025-12-26T14:11:45.492Z",
"dateReserved": "2025-04-15T21:16:41.802Z",
"dateUpdated": "2025-12-26T15:15:06.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36192 (GCVE-0-2025-36192)
Vulnerability from cvelistv5 – Published: 2025-12-26 13:58 – Updated: 2025-12-26 15:15
VLAI?
Title
Missing Authorization with the DS8900F and DS8A00 Hardware Management Console
Summary
IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.
Severity ?
6.7 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DS8A00( R10.1) |
Affected:
10.10.106.0
(semver)
cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:12:54.252892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:15:11.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:*"
],
"product": "DS8A00( R10.1)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.10.106.0",
"versionType": "semver"
}
]
},
{
"product": "DS8A00 ( R10.0)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.1.3.0"
},
{
"status": "affected",
"version": "10.2.45.0"
}
]
},
{
"product": "DS8900F ( R9.4)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "89.40.83.0"
},
{
"status": "affected",
"version": "89.42.18.0"
},
{
"status": "affected",
"version": "89.44.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.\u003c/p\u003e"
}
],
"value": "IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:00:21.658Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255039"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003eDS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDS8A00 customers should either schedule Remote Code Load (RCL) via \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or contact IBM support, and request that 10.11.30.0 be applied to their systems.\u003c/span\u003e\u003cp\u003eDS8900F customers should either schedule Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support, and request that 89.44.17.0 be applied to their systems.\u003c/p\u003e\u003cp\u003eICS Installation Guidelines:\u003c/p\u003e\u003cp\u003eThe ICS(es) listed below remediate critical severity vulnerabilities\u003c/p\u003e\u003cp\u003ea) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the above mentioned ICS(es).\u003c/p\u003e\u003cp\u003eNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\u003c/p\u003e\u003cp\u003eCustomers should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "DS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\n\n\u00a0\n\nDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\n\n\u00a0\n\nDS8A00 customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 10.11.30.0 be applied to their systems.DS8900F customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 89.44.17.0 be applied to their systems.\n\nICS Installation Guidelines:\n\nThe ICS(es) listed below remediate critical severity vulnerabilities\n\na) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\n\nb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\n\nDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the above mentioned ICS(es).\n\nNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\n\nCustomers should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system."
}
],
"title": "Missing Authorization with the DS8900F and DS8A00 Hardware Management Console",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\u003c/p\u003e\u003cp\u003eSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\u003c/p\u003e\u003cp\u003eIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "DS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\n\nSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\n\nIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too."
}
],
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36192",
"datePublished": "2025-12-26T13:58:51.713Z",
"dateReserved": "2025-04-15T21:16:24.268Z",
"dateUpdated": "2025-12-26T15:15:11.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14687 (GCVE-0-2025-14687)
Vulnerability from cvelistv5 – Published: 2025-12-26 13:21 – Updated: 2025-12-26 14:37
VLAI?
Title
Client-Side Enforcement of Server-Side Security in IBM Db2 Intelligence Center
Summary
IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
Severity ?
4.3 (Medium)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 Intelligence Center |
Affected:
1.1.0, 1.1.1, 1.1.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:37:05.290546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:37:13.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Db2 Intelligence Center",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "1.1.0, 1.1.1, 1.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.\u003c/p\u003e"
}
],
"value": "IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602 Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T13:42:30.764Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255160"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eProduct\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eVersion impacted\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eRemediation\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIBM Db2 Intelligence Center\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e1.1.0, 1.1.1, 1.1.2\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eUpgrade to: IBM Db2 Intelligence Center 1.1.3.0\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Information+Management/IBM+Db2+Intelligence+Center\u0026amp;release=1.1.3.1\u0026amp;platform=All\u0026amp;function=all\"\u003ehttps://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Information+Management/IBM+Db2+Intelligence+Center\u0026amp;release=1.1.3.1\u0026amp;platform=All\u0026amp;function=all\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Product\n\nVersion impacted\n\nRemediation\n\nIBM Db2 Intelligence Center\n\n1.1.0, 1.1.1, 1.1.2\n\nUpgrade to: IBM Db2 Intelligence Center 1.1.3.0\n https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software\u0026product=ibm/Information+Management/IBM+Db2+Intelligence+Center\u0026release=1.1.3.1\u0026platform=All\u0026function=all"
}
],
"title": "Client-Side Enforcement of Server-Side Security in IBM Db2 Intelligence Center",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-14687",
"datePublished": "2025-12-26T13:21:33.403Z",
"dateReserved": "2025-12-13T21:53:58.617Z",
"dateUpdated": "2025-12-26T14:37:13.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13915 (GCVE-0-2025-13915)
Vulnerability from cvelistv5 – Published: 2025-12-26 13:16 – Updated: 2026-01-06 04:55
VLAI?
Title
Authentication bypass in IBM API Connect
Summary
IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Severity ?
9.8 (Critical)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | API Connect |
Affected:
10.0.8.0 , ≤ 10.0.8.5
(semver)
Affected: 10.0.11.0 cpe:2.3:a:ibm:api_connect:10.0.8.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:api_connect:10.0.8.5:*:*:*:*:*:*:* cpe:2.3:a:ibm:api_connect:10.0.11.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13915",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T04:55:15.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:api_connect:10.0.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:api_connect:10.0.8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:api_connect:10.0.11.0:*:*:*:*:*:*:*"
],
"product": "API Connect",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.0.8.5",
"status": "affected",
"version": "10.0.8.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.0.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.\u003c/p\u003e"
}
],
"value": "IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T13:16:24.669Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255149"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eProduct(s)\u003c/th\u003e\u003cth\u003eAffected Version Range\u003c/th\u003e\u003cth\u003eRemediated Version\u003c/th\u003e\u003cth\u003eInstructions / Download\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM API Connect V10.0.8\u003c/td\u003e\u003ctd\u003e10.0.8.0 \u2013 10.0.8.5\u003c/td\u003e\u003ctd\u003eiFix\u003c/td\u003e\u003ctd\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eInstructions:\u003c/div\u003e\u003cdiv\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7255318\"\u003ehttps://www.ibm.com/support/pages/node/7255318\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.1: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtC6\"\u003ehttps://ibm.biz/BdbtC6\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.2-ifix1: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtCN\"\u003ehttps://ibm.biz/BdbtCN\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.2-ifix2: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtC7\"\u003ehttps://ibm.biz/BdbtC7\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.3: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtCW\"\u003ehttps://ibm.biz/BdbtCW\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.4: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtQc\"\u003ehttps://ibm.biz/BdbtQc\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e10.0.8.5: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtQB\"\u003ehttps://ibm.biz/BdbtQB\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM API Connect V10.0\u003c/td\u003e\u003ctd\u003e10.0.11\u003c/td\u003e\u003ctd\u003eiFix\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ibm.biz/BdbtCw\"\u003ehttps://ibm.biz/BdbtCw\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading.\n\nProduct(s)Affected Version RangeRemediated VersionInstructions / DownloadIBM API Connect V10.0.810.0.8.0 \u2013 10.0.8.5iFix\u00a0\n\nInstructions:\n\n https://www.ibm.com/support/pages/node/7255318 \n\n\u00a0\n\n10.0.8.1: https://ibm.biz/BdbtC6 \n\n\u00a0\n\n10.0.8.2-ifix1: https://ibm.biz/BdbtCN \n\n\u00a0\n\n10.0.8.2-ifix2: https://ibm.biz/BdbtC7 \n\n\u00a0\n\n10.0.8.3: https://ibm.biz/BdbtCW \n\n\u00a0\n\n10.0.8.4: https://ibm.biz/BdbtQc \n\n\u00a0\n\n10.0.8.5: https://ibm.biz/BdbtQB \n\n\u00a0\n\n\n\n\n\n\n\n\n\n\n\nIBM API Connect V10.010.0.11iFix https://ibm.biz/BdbtCw"
}
],
"title": "Authentication bypass in IBM API Connect",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWorkarounds and Mitigations Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability.\u003c/p\u003e"
}
],
"value": "Workarounds and Mitigations Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability."
}
],
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13915",
"datePublished": "2025-12-26T13:16:24.669Z",
"dateReserved": "2025-12-02T18:13:58.988Z",
"dateUpdated": "2026-01-06T04:55:15.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12771 (GCVE-0-2025-12771)
Vulnerability from cvelistv5 – Published: 2025-12-26 13:01 – Updated: 2025-12-30 04:55
VLAI?
Title
IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.
Summary
IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Severity ?
7.8 (High)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:29.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T13:01:23.145Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-12771",
"datePublished": "2025-12-26T13:01:23.145Z",
"dateReserved": "2025-11-05T19:54:58.840Z",
"dateUpdated": "2025-12-30T04:55:29.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1721 (GCVE-0-2025-1721)
Vulnerability from cvelistv5 – Published: 2025-12-26 12:55 – Updated: 2025-12-26 14:47
VLAI?
Title
BM Concert Software Improper Clearing of Heap Memory Before Release.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Severity ?
5.9 (Medium)
CWE
- CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:47:11.346847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:47:17.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-244",
"description": "CWE-244 Improper Clearing of Heap Memory Before Release (\u0027Heap Inspection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T12:55:56.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "BM Concert Software Improper Clearing of Heap Memory Before Release.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1721",
"datePublished": "2025-12-26T12:55:56.448Z",
"dateReserved": "2025-02-26T16:44:32.493Z",
"dateUpdated": "2025-12-26T14:47:17.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}