{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-2895","assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","state":"PUBLISHED","assignerShortName":"ibm","dateReserved":"2025-03-28T02:06:17.704Z","datePublished":"2025-06-30T14:39:43.041Z","dateUpdated":"2025-08-24T11:36:47.304Z"},"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:cloud_pak_system:2.3.3.6:*:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.3.6:ifix1:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.3.7:*:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.3.7:ifix1:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:*","cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:ifix1:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"Cloud Pak System","vendor":"IBM","versions":[{"lessThanOrEqual":"2.3.36 iFix1","status":"affected","version":"2.3.3.6","versionType":"semver"},{"lessThanOrEqual":"2.3.3.7 iFix1","status":"affected","version":"2.3.3.7","versionType":"semver"},{"status":"affected","version":"2.3.4.0"},{"lessThanOrEqual":"2.3.4.1 iFix1","status":"affected","version":"2.3.4.1","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, 2.3.4.1, and 2.3.4.1 iFix1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site."}],"value":"IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, 2.3.4.1, and 2.3.4.1 iFix1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-80","description":"CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm","dateUpdated":"2025-08-24T11:36:47.304Z"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7237164"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"This security bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite. <br><br>For Intel releases, IBM strongly recommends addressing these vulnerabilities now by upgrading to IBM Cloud Pak System v2.3.6.0 available from IBM Fix Central/Passport Advantage Online,<br><br>
Information on upgrading here <a target=\"_blank\" rel=\"nofollow\" href=\"http://www.ibm.com/support/docview.wss?uid=ibm10887959\">http://www.ibm.com/support/docview.wss?uid=ibm10887959</a><br><br>For Power, contact IBM Support.<br><br> <br><br>For unsupported versions the recommendation is to upgrade to supported version of the product.<br>"}],"value":"This security bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite. \n\nFor Intel releases, IBM strongly recommends addressing these vulnerabilities now by upgrading to IBM Cloud Pak System v2.3.6.0 available from IBM Fix Central/Passport Advantage Online,\n\n
Information on upgrading here  http://www.ibm.com/support/docview.wss?uid=ibm10887959 \n\nFor Power, contact IBM Support.\n\n \n\nFor unsupported versions the recommendation is to upgrade to supported version of the product."}],"source":{"discovery":"UNKNOWN"},"title":"IBM Cloud Pak System HTML injection","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-30T14:59:12.440305Z","id":"CVE-2025-2895","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-30T14:59:26.584Z"}}]}}