CVE-2025-27368 (GCVE-0-2025-27368)

Vulnerability from cvelistv5 – Published: 2025-11-12 19:11 – Updated: 2025-11-12 21:03
VLAI?
Title
IBM OpenPages Information Disclosure
Summary
IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
ibm
References
Impacted products
Vendor Product Version
IBM OpenPages Affected: 9.0
Affected: 9.1
    cpe:2.3:a:ibm:openpages:9.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:openpages:9.0:*:*:*:*:*:*:*
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27368",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T20:45:34.221716Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-12T21:03:57.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:openpages:9.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:openpages:9.0:*:*:*:*:*:*:*"
          ],
          "product": "OpenPages",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "9.0"
            },
            {
              "status": "affected",
              "version": "9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.\u003c/p\u003e"
            }
          ],
          "value": "IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-497",
              "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-12T19:11:10.308Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7250238"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Product Remediation For IBM OpenPages 9.1.1 Download URL for 9.1.1 \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage\"\u003ehttp://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage\u003c/a\u003e For IBM OpenPages 9.0 - Apply\u0026nbsp;9.0\u0026nbsp;FixPack 5 ( 9.0.0.5 ) - Then Apply 9.0.0.5 Interim Fix 7 ( 9.0.0.5.7 ) Download URL for 9.0.0.5 \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5\"\u003ehttps://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5\u003c/a\u003e Download URL for 9.0.0.5.7 \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7\"\u003ehttps://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7\u003c/a\u003e For IBM OpenPages v8.0/8.1/8.2/8.3 customers, IBM recommends to upgrade to a fixed and supported version 9.0 or 9.1 of the product.\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Product Remediation For IBM OpenPages 9.1.1 Download URL for 9.1.1  http://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage  For IBM OpenPages 9.0 - Apply\u00a09.0\u00a0FixPack 5 ( 9.0.0.5 ) - Then Apply 9.0.0.5 Interim Fix 7 ( 9.0.0.5.7 ) Download URL for 9.0.0.5  https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5  Download URL for 9.0.0.5.7  https://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7  For IBM OpenPages v8.0/8.1/8.2/8.3 customers, IBM recommends to upgrade to a fixed and supported version 9.0 or 9.1 of the product."
        }
      ],
      "title": "IBM OpenPages Information Disclosure",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-27368",
    "datePublished": "2025-11-12T19:11:10.308Z",
    "dateReserved": "2025-02-22T15:25:27.069Z",
    "dateUpdated": "2025-11-12T21:03:57.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27368\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-11-12T20:15:41.480\",\"lastModified\":\"2025-11-18T19:12:32.107\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:openpages:9.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8ACBB76-355D-43F6-851E-0B79EE52AC19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:openpages:9.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F78E4CFE-31E7-4FFF-8DB4-6D7AC69A2248\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7250238\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27368\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-12T20:45:34.221716Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-12T20:45:36.224Z\"}}], \"cna\": {\"title\": \"IBM OpenPages Information Disclosure\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:openpages:9.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:openpages:9.0:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"OpenPages\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0\"}, {\"status\": \"affected\", \"version\": \"9.1\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Product Remediation For IBM OpenPages 9.1.1 Download URL for 9.1.1  http://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage  For IBM OpenPages 9.0 - Apply\\u00a09.0\\u00a0FixPack 5 ( 9.0.0.5 ) - Then Apply 9.0.0.5 Interim Fix 7 ( 9.0.0.5.7 ) Download URL for 9.0.0.5  https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5  Download URL for 9.0.0.5.7  https://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7  For IBM OpenPages v8.0/8.1/8.2/8.3 customers, IBM recommends to upgrade to a fixed and supported version 9.0 or 9.1 of the product.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eRemediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Product Remediation For IBM OpenPages 9.1.1 Download URL for 9.1.1 \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"http://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage\\\"\u003ehttp://ibm.com/support/pages/downloading-ibm-openpages-version-911-passport-advantage\u003c/a\u003e For IBM OpenPages 9.0 - Apply\u0026nbsp;9.0\u0026nbsp;FixPack 5 ( 9.0.0.5 ) - Then Apply 9.0.0.5 Interim Fix 7 ( 9.0.0.5.7 ) Download URL for 9.0.0.5 \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5\\\"\u003ehttps://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-5\u003c/a\u003e Download URL for 9.0.0.5.7 \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7\\\"\u003ehttps://www.ibm.com/support/pages/ibm-openpages-9005-interim-fix-7\u003c/a\u003e For IBM OpenPages v8.0/8.1/8.2/8.3 customers, IBM recommends to upgrade to a fixed and supported version 9.0 or 9.1 of the product.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7250238\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-497\", \"description\": \"CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-11-12T19:11:10.308Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27368\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-12T21:03:57.566Z\", \"dateReserved\": \"2025-02-22T15:25:27.069Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-11-12T19:11:10.308Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.