SB2025100931 - Multiple vulnerabilities in IBM Maximo Application Suite

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025100931

SB2025100931 - Multiple vulnerabilities in IBM Maximo Application Suite

Published: October 9, 2025

Security Bulletin ID SB2025100931
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 14% Medium 43% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2025-36097)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a stack-based overflow. A remote unauthenticated attacker can send a specially crafted request that cause the server to consume excessive memory resources.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Use of insufficiently random values (CVE-ID: CVE-2025-7783)

The vulnerability allows a remote attacker to perform parameter injection attacks.

The vulnerability exists due to software uses a weak Math.random() method to generated random values for multipart form-encoded data. A remote attacker can observe values produced by Math.random in the target application and predict the random number used to generate form-data's boundary value and inject arbitrary parameters into requests. 


3) Resource exhaustion (CVE-ID: CVE-2025-25193)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to application attempts to load a file that does not exist. A local user can create a large file on the system and crash the application.

Note, the vulnerability affects Windows installations only.


4) Cryptographic issues (CVE-ID: CVE-2025-47278)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the way fallback key configuration was handled. The application used the last fallback key for signing, rather than the current signing key, which could potentially lead to data tampering.


5) Resource exhaustion (CVE-ID: CVE-2025-23184)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in CachedOutputStream instances allowing creation of enormous amount of temporary files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Input validation error (CVE-ID: CVE-2025-22872)

The vulnerability allows a remote attacker to perform code injection attacks.

The vulnerability exists due to insufficient validation of tags with unquoted attribute values that end with a solidus character (/). The tokenizer can interpret such tags as self-closing, leading to content following such tags as being placed in the wrong scope during DOM construction.


7) Interpretation Conflict (CVE-ID: CVE-2024-56339)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can bypass security restrictions caused by a failure to honor security configuration. 


Remediation

Install update from vendor's website.

References