SB2025110412 - Multiple vulnerabilities in IBM Maximo Application Suite 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025110412

SB2025110412 - Multiple vulnerabilities in IBM Maximo Application Suite

Published: November 4, 2025

Security Bulletin ID SB2025110412
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 9% Medium 64% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) XML injection (CVE-ID: CVE-2025-9375)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing XML data. A remote unauthenticated attacker can pass specially crafted XML data to the application and perform arbitrary actions on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Insufficiently protected credentials (CVE-ID: CVE-2024-47081)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the library leaks .netrc credentials to third parties for specific maliciously-crafted URLs. A remote attacker can gain access to sensitive information. 


3) Resource exhaustion (CVE-ID: CVE-2025-30204)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the parse.ParseUnverified function when parsing authorization header. A remote attacker can send a specially crafted HTTP response to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


4) Insufficient technical documentation (CVE-ID: CVE-2024-51744)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due due to unclear documentation of the error behavior in "ParseWithClaims". A remote attacker can trick the victim into accepting invalid tokens, which can lead to information disclosure.


5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-36047)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Resource exhaustion (CVE-ID: CVE-2025-48976)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58754)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits within data: URL decode. A remote attacker can cause a denial of service condition on the target system.


8) Uncontrolled Memory Allocation (CVE-ID: CVE-2024-4068)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. A remote attacker can send "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.


9) Protection Mechanism Failure (CVE-ID: CVE-2025-50182)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries in a Pyodide runtime. A remote attacker can force the library to follow redirects even if explicitly disabled.


10) Protection Mechanism Failure (CVE-ID: CVE-2025-50181)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries. A remote attacker can force the library to follow redirects even if explicitly disabled with PoolManager.


11) Path traversal (CVE-ID: CVE-2025-47273)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences in package_index.py. A remote attacker can trick the victim into installing a specially crafted script and overwrite arbitrary files on the system, leading to code execution.


Remediation

Install update from vendor's website.

References