Skip to main content

IBM CVE-2025-14807

| EUVD-2025-209014 MEDIUM
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
2026-03-25 ibm
XSS IBM
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 21:02 euvd
EUVD-2025-209014
Analysis Generated
Mar 25, 2026 - 21:02 vuln.today
Patch released
Mar 25, 2026 - 21:02 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:46 nvd
MEDIUM 6.5

DescriptionNVD

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

AnalysisAI

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

Technical ContextAI

The vulnerability exists in IBM InfoSphere Information Server, an enterprise data integration and governance platform (CPE: cpe:2.3:a:ibm:infosphere_information_server). The root cause is classified under CWE-644 (Improper Validation of HTTP Request Header for URL Redirection), which occurs when user-controlled input from HTTP headers—specifically the HOST header—is not properly sanitized before being reflected in responses or used in security-sensitive operations. This allows attackers to inject arbitrary header content, which can be leveraged for cache poisoning (by injecting Set-Cookie or other directives), session hijacking (by manipulating authentication headers), and reflective XSS attacks (by injecting content into Location headers or response bodies derived from the HOST header).

RemediationAI

Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later, which includes the security fix for HTTP header injection. Refer to the official IBM security advisory and patch download portal at https://www.ibm.com/support/pages/node/7267526 for detailed upgrade instructions. As interim mitigations pending patching, implement a reverse proxy or WAF configured to validate and sanitize the HOST header, restrict access to InfoSphere administrative and API endpoints to trusted IP ranges, enforce HTTPS with HSTS to prevent header-based cache poisoning, and monitor HTTP access logs for suspicious HOST header patterns.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)
CVE-2026-7365 HIGH
8.4 May 27

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations

Share

CVE-2025-14807 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy