SB2025043033 - Multiple vulnerabilities in IBM Observability with Instana 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025043033

SB2025043033 - Multiple vulnerabilities in IBM Observability with Instana

Published: April 30, 2025 Updated: July 31, 2025

Security Bulletin ID SB2025043033
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 9% High 36% Medium 27% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Code Injection (CVE-ID: CVE-2024-53382)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.. A remote user can send a specially crafted request and execute arbitrary code on the target system.


2) Cross-site scripting (CVE-ID: CVE-2025-26791)

The disclosed vulnerability allows a remote attacker to perform mutation cross-site scripting (XSS) attacks.

The vulnerability exists due to DOMPurify has an incorrect template literal regular expression. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Resource exhaustion (CVE-ID: CVE-2025-29907)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the "addImage" method. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2023-5590)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2024-9823)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the DoSFilter. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-27152)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


7) Prototype pollution (CVE-ID: CVE-2025-25977)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary code via the Constructor of the class StyleElement.


8) Resource exhaustion (CVE-ID: CVE-2024-11187)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling DNS zones with numerous records in the Additional section. A remote attacker can trigger resource exhaustion by sending multiple queries to he affected server and perform a denial of service (DoS) attack.


9) Input validation error (CVE-ID: CVE-2025-1094)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in the database.

The vulnerability exists due to insufficient validation of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() and within the command line utility programs  when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. A remote attacker can pass specially crafted input to the application and execute arbitrary SQL queries in the database.

Note, the vulnerability is being actively exploited in the wild.


10) Buffer overflow (CVE-ID: CVE-2024-54543)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


11) Input validation error (CVE-ID: CVE-2025-24162)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References