CVE-2025-14807

| EUVD-2025-209014 MEDIUM
2026-03-25 ibm
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 21:02 euvd
EUVD-2025-209014
Analysis Generated
Mar 25, 2026 - 21:02 vuln.today
Patch Released
Mar 25, 2026 - 21:02 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:46 nvd
MEDIUM 6.5

Tags

XSS IBM

Description

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Analysis

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

Technical Context

The vulnerability exists in IBM InfoSphere Information Server, an enterprise data integration and governance platform (CPE: cpe:2.3:a:ibm:infosphere_information_server). The root cause is classified under CWE-644 (Improper Validation of HTTP Request Header for URL Redirection), which occurs when user-controlled input from HTTP headers—specifically the HOST header—is not properly sanitized before being reflected in responses or used in security-sensitive operations. This allows attackers to inject arbitrary header content, which can be leveraged for cache poisoning (by injecting Set-Cookie or other directives), session hijacking (by manipulating authentication headers), and reflective XSS attacks (by injecting content into Location headers or response bodies derived from the HOST header).

Affected Products

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected, as indicated by the CPE cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:* and the vendor advisory. The affected version range spans multiple point releases within the 11.7 product line. Organizations should verify their installed version against the complete list provided in the IBM support advisory at https://www.ibm.com/support/pages/node/7267526 to determine exposure.

Remediation

Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later, which includes the security fix for HTTP header injection. Refer to the official IBM security advisory and patch download portal at https://www.ibm.com/support/pages/node/7267526 for detailed upgrade instructions. As interim mitigations pending patching, implement a reverse proxy or WAF configured to validate and sanitize the HOST header, restrict access to InfoSphere administrative and API endpoints to trusted IP ranges, enforce HTTPS with HSTS to prevent header-based cache poisoning, and monitor HTTP access logs for suspicious HOST header patterns.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-14807 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy