CVE-2025-36011

CWE-6143 documents3 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 97.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Jazz FOR Service Management

Timeline

PublishedSep 9

Description

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/jazz_for_service_management1.1.3.0 — 1.1.3.24

▶NVDibm/jazz1.1.3.0 — 1.1.3.25

🔴Vulnerability Details

GHSA

GHSA-j7p4-jqg9-w23j: IBM Jazz for Service Management 1↗2025-09-09

▶

CVEList

IBM Jazz for Service Management information disclosure↗2025-09-09

▶