IBM Cloud Pak Vulnerabilities Allow HTML Injection by Remote Attackers
Multiple security vulnerabilities in IBM Cloud Pak System enable remote attackers to execute HTML injection attacks, potentially compromising user data and system integrity.
These flaws, detailed in recent IBM security bulletins, affect various versions of the platform and expose organizations to cross-site scripting (XSS) and prototype pollution attacks.
| CVE ID | Description | CVSS Score |
| CVE-2025-2895 | HTML injection enabling malicious script execution | 5.4 |
| CVE-2020-5258 | Prototype pollution in Dojo package allowing code injection | 7.5 |
Key Vulnerabilities and Exploits
The most critical vulnerabilities include:
1. HTML Injection (CVE-2025-2895)
- Description: Allows remote attackers to inject malicious HTML code. When viewed, this code executes in the victim’s browser within the hosting site’s security context.
- CVSS Score: 5.4 (Medium)
- Impact: Enables session hijacking, data theft, and unauthorized actions via client-side script execution.
2. Prototype Pollution (CVE-2020-5258)
- Description: Affects the Dojo NPM package, letting attackers inject properties into JavaScript prototypes. This compromises application logic and enables code injection.
- CVSS Score: 7.5 (High)
- Impact: Permits arbitrary code execution, data manipulation, and system compromise.
Affected Products
| Product | Versions (Power) | Versions (Intel) |
| IBM Cloud Pak System | 2.3.3.7, 2.3.3.7 iFix1 | 2.3.3.6, 2.3.3.6 iFix1 |
| 2.3.5.0 | 2.3.4.0, 2.3.4.1 |
Attackers exploit these flaws by:
- Sending crafted payloads to unpatched IBM Cloud Pak instances.
- Triggering HTML injection to deploy malicious scripts that steal credentials or session cookies.
- Leveraging prototype pollution to override security controls and escalate privileges.
Mitigation and Patches
IBM released urgent fixes, including:
- Intel Systems: Upgrade to v2.3.6.0 via IBM Fix Central.
- Power Systems: Contact IBM Support for patches.
- Unsupported Versions: Migrate to patched releases immediately.
These vulnerabilities coincide with other critical flaws in IBM Cloud Pak ecosystems, such as:
- CVE-2024-47764: Authentication bypass in jshttp cookie modules.
- CVE-2024-5535: OpenSSL buffer over-read exposing TLS communications.
IBM emphasizes comprehensive audits and real-time monitoring to counter evolving threats.
The HTML injection and prototype pollution vulnerabilities in IBM Cloud Pak System underscore critical risks in enterprise cloud infrastructure.
Immediate patching is essential to prevent data breaches and operational disruptions. Organizations must prioritize updating affected versions and adopt layered security practices to mitigate exposure.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
