CVE-2025-27909
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-08-21
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | concert | From 1.0.0 (inc) to 2.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-697 | The product compares two entities in a security-relevant context, but the comparison is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM Concert Software versions 1.0.0 through 1.1.0 involves improper use of cross-origin resource sharing (CORS). The software does not restrict the domain names allowed for CORS requests to only trusted domains, which could allow an attacker to perform privileged actions by exploiting this misconfiguration.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to carry out privileged actions on the affected system by making unauthorized cross-origin requests. This could lead to unauthorized access or modification of data, potentially compromising the confidentiality and integrity of information.