SB2026032610 - Multiple vulnerabilities in IBM Operational Decision Manager
Published: March 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2025-41254)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in STOMP over WebSocket applications. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
2) Input validation error (CVE-ID: CVE-2025-31672)
The vulnerability allows a remote attacker to manipulate file parsing behavior.
The vulnerability stems from the way Apache POI handles zip entries in OOXML format files. When duplicate file names (including paths) exist within the zip structure, different products may select different zip entries with the same name, leading to inconsistent data interpretation. A remote attacker can manipulate file parsing behavior through specially crafted OOXML files containing ZIP entries with duplicate file names. This manipulation can result in inconsistent data processing across different systems, potentially leading to security issues and data integrity concerns.
3) Race condition (CVE-ID: CVE-2025-12383)
The vulnerability allows a remote attacker to bypass trust restrictions.
The vulnerability exists due to a race condition in the SSL/TLS configuration handling. A remote attacker can bypass trust restrictions and gain unauthorized access to the application.
Remediation
Install update from vendor's website.