Search criteria
128 vulnerabilities found for Concert by IBM
CVE-2025-64645 (GCVE-0-2025-64645)
Vulnerability from nvd – Published: 2025-12-26 14:24 – Updated: 2025-12-30 04:55
VLAI?
Title
Time-of-check Time-of-use (TOCTOU) in IBM Concert Software.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
Severity ?
7.7 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:27.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:24:57.880Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "Time-of-check Time-of-use (TOCTOU) in IBM Concert Software.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-64645",
"datePublished": "2025-12-26T14:24:57.880Z",
"dateReserved": "2025-11-06T18:13:00.558Z",
"dateUpdated": "2025-12-30T04:55:27.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1721 (GCVE-0-2025-1721)
Vulnerability from nvd – Published: 2025-12-26 12:55 – Updated: 2025-12-26 14:47
VLAI?
Title
BM Concert Software Improper Clearing of Heap Memory Before Release.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Severity ?
5.9 (Medium)
CWE
- CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:47:11.346847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:47:17.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-244",
"description": "CWE-244 Improper Clearing of Heap Memory Before Release (\u0027Heap Inspection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T12:55:56.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "BM Concert Software Improper Clearing of Heap Memory Before Release.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1721",
"datePublished": "2025-12-26T12:55:56.448Z",
"dateReserved": "2025-02-26T16:44:32.493Z",
"dateUpdated": "2025-12-26T14:47:17.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12771 (GCVE-0-2025-12771)
Vulnerability from nvd – Published: 2025-12-26 13:01 – Updated: 2025-12-30 04:55
VLAI?
Title
IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.
Summary
IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Severity ?
7.8 (High)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:29.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T13:01:23.145Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-12771",
"datePublished": "2025-12-26T13:01:23.145Z",
"dateReserved": "2025-11-05T19:54:58.840Z",
"dateUpdated": "2025-12-30T04:55:29.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36154 (GCVE-0-2025-36154)
Vulnerability from nvd – Published: 2025-12-24 19:01 – Updated: 2025-12-24 20:02
VLAI?
Title
IBM Concert Software Cleartext Storage in a File or on Disk.
Summary
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
Severity ?
6.2 (Medium)
CWE
- CWE-313 - Cleartext Storage in a File or on Disk
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T20:02:23.714103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T20:02:34.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-313",
"description": "CWE-313 Cleartext Storage in a File or on Disk",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T19:01:48.161Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Cleartext Storage in a File or on Disk.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36154",
"datePublished": "2025-12-24T19:01:48.161Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-12-24T20:02:34.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36150 (GCVE-0-2025-36150)
Vulnerability from nvd – Published: 2025-11-24 20:29 – Updated: 2025-11-24 20:58
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T20:58:02.041705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T20:58:29.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T20:29:19.183Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36150",
"datePublished": "2025-11-24T20:29:19.183Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-11-24T20:58:29.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36149 (GCVE-0-2025-36149)
Vulnerability from nvd – Published: 2025-11-21 19:38 – Updated: 2025-11-21 19:48
VLAI?
Title
IBM Concert Software clickjacking
Summary
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
Severity ?
6.3 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | IBM Concert Software |
Affected:
1.0.0 , ≤ 2.0.0
(semver)
cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T19:48:04.162194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T19:48:34.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "IBM Concert Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u0026nbsp;\u003c/b\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T19:42:01.488Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0\u003c/p\u003e\u003cp\u003eDownload IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://myibm.ibm.com/products-services/containerlibrary\"\u003eICR\u003c/a\u003e) and follow \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\"\u003einstallation instructions\u003c/a\u003e\u0026nbsp;depending on the type of deployment.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0\n\nDownload IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Concert Software clickjacking",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36149",
"datePublished": "2025-11-21T19:38:47.251Z",
"dateReserved": "2025-04-15T21:16:19.941Z",
"dateUpdated": "2025-11-21T19:48:34.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36153 (GCVE-0-2025-36153)
Vulnerability from nvd – Published: 2025-11-20 21:21 – Updated: 2025-11-20 21:35
VLAI?
Title
IBM Concert Cross-Site Scripting
Summary
IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36153",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:35:16.088592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:35:26.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:21:04.869Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Cross-Site Scripting",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36153",
"datePublished": "2025-11-20T21:21:04.869Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-11-20T21:35:26.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36158 (GCVE-0-2025-36158)
Vulnerability from nvd – Published: 2025-11-20 21:19 – Updated: 2025-11-20 21:36
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Severity ?
5.1 (Medium)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:35:54.418311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:36:03.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:19:26.619Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36158",
"datePublished": "2025-11-20T21:19:26.619Z",
"dateReserved": "2025-04-15T21:16:20.814Z",
"dateUpdated": "2025-11-20T21:36:03.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36159 (GCVE-0-2025-36159)
Vulnerability from nvd – Published: 2025-11-20 21:17 – Updated: 2025-11-20 21:36
VLAI?
Title
IBM Concert Improper Log Neutralization
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Severity ?
6.2 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:36:45.827262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:36:49.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:17:47.926Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Improper Log Neutralization",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36159",
"datePublished": "2025-11-20T21:17:47.926Z",
"dateReserved": "2025-04-15T21:16:20.814Z",
"dateUpdated": "2025-11-20T21:36:49.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36160 (GCVE-0-2025-36160)
Vulnerability from nvd – Published: 2025-11-20 21:15 – Updated: 2025-11-20 21:34
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:33:45.147169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:34:12.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:15:35.003Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36160",
"datePublished": "2025-11-20T21:15:35.003Z",
"dateReserved": "2025-04-15T21:16:21.702Z",
"dateUpdated": "2025-11-20T21:34:12.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36161 (GCVE-0-2025-36161)
Vulnerability from nvd – Published: 2025-11-20 15:26 – Updated: 2025-11-20 16:30
VLAI?
Title
IBM Concert Software Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T16:29:52.549259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T16:30:00.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T15:26:56.613Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36161",
"datePublished": "2025-11-20T15:26:29.342Z",
"dateReserved": "2025-04-15T21:16:21.703Z",
"dateUpdated": "2025-11-20T16:30:00.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64645 (GCVE-0-2025-64645)
Vulnerability from cvelistv5 – Published: 2025-12-26 14:24 – Updated: 2025-12-30 04:55
VLAI?
Title
Time-of-check Time-of-use (TOCTOU) in IBM Concert Software.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
Severity ?
7.7 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:27.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:24:57.880Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "Time-of-check Time-of-use (TOCTOU) in IBM Concert Software.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-64645",
"datePublished": "2025-12-26T14:24:57.880Z",
"dateReserved": "2025-11-06T18:13:00.558Z",
"dateUpdated": "2025-12-30T04:55:27.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12771 (GCVE-0-2025-12771)
Vulnerability from cvelistv5 – Published: 2025-12-26 13:01 – Updated: 2025-12-30 04:55
VLAI?
Title
IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.
Summary
IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Severity ?
7.8 (High)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T04:55:29.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T13:01:23.145Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Improper Restriction of Operations within the Bounds of a Memory Buffer.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-12771",
"datePublished": "2025-12-26T13:01:23.145Z",
"dateReserved": "2025-11-05T19:54:58.840Z",
"dateUpdated": "2025-12-30T04:55:29.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1721 (GCVE-0-2025-1721)
Vulnerability from cvelistv5 – Published: 2025-12-26 12:55 – Updated: 2025-12-26 14:47
VLAI?
Title
BM Concert Software Improper Clearing of Heap Memory Before Release.
Summary
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Severity ?
5.9 (Medium)
CWE
- CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:47:11.346847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:47:17.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-244",
"description": "CWE-244 Improper Clearing of Heap Memory Before Release (\u0027Heap Inspection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T12:55:56.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "BM Concert Software Improper Clearing of Heap Memory Before Release.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1721",
"datePublished": "2025-12-26T12:55:56.448Z",
"dateReserved": "2025-02-26T16:44:32.493Z",
"dateUpdated": "2025-12-26T14:47:17.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36154 (GCVE-0-2025-36154)
Vulnerability from cvelistv5 – Published: 2025-12-24 19:01 – Updated: 2025-12-24 20:02
VLAI?
Title
IBM Concert Software Cleartext Storage in a File or on Disk.
Summary
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
Severity ?
6.2 (Medium)
CWE
- CWE-313 - Cleartext Storage in a File or on Disk
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T20:02:23.714103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T20:02:34.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.1.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-313",
"description": "CWE-313 Cleartext Storage in a File or on Disk",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T19:01:48.161Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255549"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Cleartext Storage in a File or on Disk.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36154",
"datePublished": "2025-12-24T19:01:48.161Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-12-24T20:02:34.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36150 (GCVE-0-2025-36150)
Vulnerability from cvelistv5 – Published: 2025-11-24 20:29 – Updated: 2025-11-24 20:58
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T20:58:02.041705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T20:58:29.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T20:29:19.183Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36150",
"datePublished": "2025-11-24T20:29:19.183Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-11-24T20:58:29.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36149 (GCVE-0-2025-36149)
Vulnerability from cvelistv5 – Published: 2025-11-21 19:38 – Updated: 2025-11-21 19:48
VLAI?
Title
IBM Concert Software clickjacking
Summary
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
Severity ?
6.3 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | IBM Concert Software |
Affected:
1.0.0 , ≤ 2.0.0
(semver)
cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T19:48:04.162194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T19:48:34.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "IBM Concert Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u0026nbsp;\u003c/b\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T19:42:01.488Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0\u003c/p\u003e\u003cp\u003eDownload IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://myibm.ibm.com/products-services/containerlibrary\"\u003eICR\u003c/a\u003e) and follow \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\"\u003einstallation instructions\u003c/a\u003e\u0026nbsp;depending on the type of deployment.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0\n\nDownload IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Concert Software clickjacking",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36149",
"datePublished": "2025-11-21T19:38:47.251Z",
"dateReserved": "2025-04-15T21:16:19.941Z",
"dateUpdated": "2025-11-21T19:48:34.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36153 (GCVE-0-2025-36153)
Vulnerability from cvelistv5 – Published: 2025-11-20 21:21 – Updated: 2025-11-20 21:35
VLAI?
Title
IBM Concert Cross-Site Scripting
Summary
IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36153",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:35:16.088592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:35:26.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:21:04.869Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Cross-Site Scripting",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36153",
"datePublished": "2025-11-20T21:21:04.869Z",
"dateReserved": "2025-04-15T21:16:20.813Z",
"dateUpdated": "2025-11-20T21:35:26.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36158 (GCVE-0-2025-36158)
Vulnerability from cvelistv5 – Published: 2025-11-20 21:19 – Updated: 2025-11-20 21:36
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Severity ?
5.1 (Medium)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:35:54.418311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:36:03.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:19:26.619Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36158",
"datePublished": "2025-11-20T21:19:26.619Z",
"dateReserved": "2025-04-15T21:16:20.814Z",
"dateUpdated": "2025-11-20T21:36:03.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36159 (GCVE-0-2025-36159)
Vulnerability from cvelistv5 – Published: 2025-11-20 21:17 – Updated: 2025-11-20 21:36
VLAI?
Title
IBM Concert Improper Log Neutralization
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Severity ?
6.2 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:36:45.827262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:36:49.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:17:47.926Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Improper Log Neutralization",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36159",
"datePublished": "2025-11-20T21:17:47.926Z",
"dateReserved": "2025-04-15T21:16:20.814Z",
"dateUpdated": "2025-11-20T21:36:49.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36160 (GCVE-0-2025-36160)
Vulnerability from cvelistv5 – Published: 2025-11-20 21:15 – Updated: 2025-11-20 21:34
VLAI?
Title
IBM Concert Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T21:33:45.147169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:34:12.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T21:15:35.003Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36160",
"datePublished": "2025-11-20T21:15:35.003Z",
"dateReserved": "2025-04-15T21:16:21.702Z",
"dateUpdated": "2025-11-20T21:34:12.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36161 (GCVE-0-2025-36161)
Vulnerability from cvelistv5 – Published: 2025-11-20 15:26 – Updated: 2025-11-20 16:30
VLAI?
Title
IBM Concert Software Information Disclosure
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Severity ?
5.9 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T16:29:52.549259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T16:30:00.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:concert:2.0.0:*:*:*:*:*:*:*"
],
"product": "Concert",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.\u003c/p\u003e"
}
],
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T15:26:56.613Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.1.0 Download IBM Concert Software 2.1.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment."
}
],
"title": "IBM Concert Software Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36161",
"datePublished": "2025-11-20T15:26:29.342Z",
"dateReserved": "2025-04-15T21:16:21.703Z",
"dateUpdated": "2025-11-20T16:30:00.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2025-36150
Vulnerability from fkie_nvd - Published: 2025-11-24 21:16 - Updated: 2025-12-01 15:51
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3D14BBD-C8F9-4131-BD47-70A9C55502CE",
"versionEndIncluding": "2.0.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"id": "CVE-2025-36150",
"lastModified": "2025-12-01T15:51:16.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-24T21:16:03.023",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36149
Vulnerability from fkie_nvd - Published: 2025-11-21 20:15 - Updated: 2025-12-02 16:22
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim."
}
],
"id": "CVE-2025-36149",
"lastModified": "2025-12-02T16:22:26.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-21T20:15:48.017",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36158
Vulnerability from fkie_nvd - Published: 2025-11-20 22:15 - Updated: 2025-11-21 19:50
Severity ?
5.1 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying."
}
],
"id": "CVE-2025-36158",
"lastModified": "2025-11-21T19:50:06.163",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-20T22:15:57.153",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36159
Vulnerability from fkie_nvd - Published: 2025-11-20 22:15 - Updated: 2025-11-21 19:49
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output."
}
],
"id": "CVE-2025-36159",
"lastModified": "2025-11-21T19:49:32.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-20T22:15:57.340",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36160
Vulnerability from fkie_nvd - Published: 2025-11-20 22:15 - Updated: 2025-11-21 19:46
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system."
}
],
"id": "CVE-2025-36160",
"lastModified": "2025-11-21T19:46:50.220",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-20T22:15:57.530",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-497"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36153
Vulnerability from fkie_nvd - Published: 2025-11-20 22:15 - Updated: 2025-11-21 19:50
Severity ?
Summary
IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"id": "CVE-2025-36153",
"lastModified": "2025-11-21T19:50:43.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
},
"published": "2025-11-20T22:15:56.970",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36161
Vulnerability from fkie_nvd - Published: 2025-11-20 16:15 - Updated: 2025-11-24 14:47
Severity ?
Summary
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7252019 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | concert | * | |
| linux | linux_kernel | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques."
}
],
"id": "CVE-2025-36161",
"lastModified": "2025-11-24T14:47:51.040",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
},
"published": "2025-11-20T16:15:58.330",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7252019"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36083
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-10-31 18:59
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
IBM Concert Software
1.0.0 through 2.0.0 could allow a local user to obtain sensitive information from buffers due to improper clearing of heap memory before release.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7249356 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | concert | * | |
| linux | linux_kernel | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF",
"versionEndExcluding": "2.1.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Concert Software \n\n1.0.0 through 2.0.0\u00a0could allow a local user to obtain sensitive information from buffers due to improper clearing of heap memory before release."
}
],
"id": "CVE-2025-36083",
"lastModified": "2025-10-31T18:59:03.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.6,
"source": "psirt@us.ibm.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-28T15:16:12.427",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7249356"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-244"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}