SB2025112894 - Multiple vulnerabilities in IBM Maximo Application Suite
Published: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-36000)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote privileged user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Use of insufficiently random values (CVE-ID: CVE-2020-36732)
CWE-ID: CWE-330 - Use of Insufficiently Random Values
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
3) Privilege Chaining (CVE-ID: CVE-2025-36124)
CWE-ID: CWE-268 - Privilege Chaining
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to failure to honor JMS messaging configuration. A remote attacker can trigger the vulnerability to bypass security restrictions
Remediation
Install update from vendor's website.