SB2025112894 - Multiple vulnerabilities in IBM Maximo Application Suite 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025112894

SB2025112894 - Multiple vulnerabilities in IBM Maximo Application Suite

Published: November 28, 2025

Security Bulletin ID SB2025112894
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-36000)

The disclosed vulnerability allows a remote privileged user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Use of insufficiently random values (CVE-ID: CVE-2020-36732)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.


3) Privilege Chaining (CVE-ID: CVE-2025-36124)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to failure to honor JMS messaging configuration. A remote attacker can trigger the vulnerability to bypass security restrictions


Remediation

Install update from vendor's website.

References