CVE-2025-36248

Summary

IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Affected Software

VendorProductVersion RangeStatus
IBMCopy Services Manager6.3.13affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Workarounds

  1. Locate the server.xml file under the csmServer

  2. Create a backup of the file

  3. Edit the file and locate the line

<httpSession cookieSecure="true" cookieName="csmsessionid" cookieSameSite="Lax" />

  1. Change the line to the following:

 <httpSession cookieSecure="true" cookieName="csmsessionid" cookieSameSite="Strict" />

  1. Restart IBM Copy Services Manager service.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References