Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AnalysisAI
Stored cross-site scripting in IBM Cognos Analytics and Cognos Transformer's Administration interface allows an authenticated low-privileged user to inject persistent JavaScript payloads into the Web UI, which then execute in the browser sessions of other users - including higher-privileged administrators - potentially leading to credential theft or session hijacking. Affected are Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. No public exploit identified at time of analysis, and the EPSS score of 0.03% (8th percentile) combined with SSVC exploitation status of 'none' indicates very low observed exploitation pressure.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) covers failures to sanitize user-supplied input before it is rendered in HTML contexts. In this case, the Cognos Administration web interface - part of IBM's enterprise business intelligence platform - does not adequately encode or escape user-controlled data before persisting and re-rendering it. The CVSS Scope:Changed indicator confirms the vulnerability crosses a security boundary: the attacker's injected payload executes in the security context of a different user's browser session, not just their own. CPE strings cpe:2.3:a:ibm:cognos_analytics and cpe:2.3:a:ibm:cognos_transformer identify both products as affected across multiple major versions. The stored nature of the XSS (as opposed to reflected) means the payload persists server-side and activates on every subsequent page load by any user viewing the compromised admin view, amplifying potential victims without further attacker interaction.
RemediationAI
IBM has released a patch per the vendor advisory at https://www.ibm.com/support/pages/node/7272628 - organizations should consult that page for exact fix versions and apply the appropriate update for their Cognos Analytics or Cognos Transformer release line. The advisory should be reviewed to confirm whether fixes are available for all listed branches (11.2.x, 12.0, 12.1.0) or only select versions. Until patching is complete, compensating controls include restricting write access to Cognos Administration to only the minimum required set of users, enabling audit logging on administrative UI actions to detect anomalous JavaScript injection attempts, and enforcing Content Security Policy (CSP) headers if configurable at the web server or reverse proxy layer - noting that CSP may interfere with legitimate Cognos JavaScript functionality and should be tested carefully. Network-level controls limiting Cognos Administration access to trusted internal segments reduce the reachable attacker surface but do not eliminate insider threat scenarios.
More in Cognos Analytics
View allIBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML dat
IBM Cognos Analytics 11 could allow a remote attacker to traverse directories on the system. Rated critical severity (CV
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) In
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which cou
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access
IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neu
IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application l
IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to catch exceptions in a
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when proc
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by
IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209930
GHSA-36w6-vpxm-3r3c