CVE-2025-36011
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-03

Assigner: IBM Corporation

Description
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-03
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36011
EUVD
EUVD-2025-27484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm jazz_for_service_management From 1.1.3.0 (inc) to 1.1.3.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.24 do not set the 'secure' attribute on authorization tokens or session cookies. As a result, these cookies can be sent over unencrypted HTTP connections. Attackers can exploit this by tricking users into clicking on HTTP links or embedding such links on websites the user visits, allowing the attacker to intercept the cookie values by snooping on the network traffic. [1]

Impact Analysis

The vulnerability can lead to attackers obtaining session cookies or authorization tokens by intercepting them over insecure HTTP connections. This could allow attackers to hijack user sessions or impersonate users, potentially leading to unauthorized access to the affected system. However, the impact is limited to confidentiality with a low severity score, and there is no impact on integrity or availability. [1]

Mitigation Strategies

To mitigate this vulnerability, upgrade IBM Jazz for Service Management to version 1.1.3.25 (1.1.3-TIV-JazzSM-multi-FP025 fix pack) as recommended by IBM. No other workarounds or mitigations are provided. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart