Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
AnalysisAI
Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize user-supplied input before rendering it in a web page, allowing script injection. The CVSS Scope value of Changed (S:C) is the defining indicator here: the vulnerable component (the Cognos web server) processes attacker input, but the security impact materializes in a different security domain - the victim's browser. This changed-scope characteristic is canonical for XSS and explains why the CVSS score reaches 5.4 despite low individual impact ratings on confidentiality and integrity. The affected products are IBM Cognos Analytics (a business intelligence and analytics platform) and IBM Cognos Transformer (its OLAP cube-building component), both of which expose web-based administrative and reporting interfaces. EUVD-2025-209974 corroborates the NVD entry with identical version ranges.
RemediationAI
Consult the IBM PSIRT advisory at https://www.ibm.com/support/pages/node/7272628 for official patch guidance. The input data confirms patch availability via IBM support but does not specify exact fixed version numbers; administrators should reference the advisory to obtain the precise remediated build for their Cognos Analytics or Cognos Transformer release track. As a compensating control pending patching, restrict access to the Cognos web interface to trusted internal networks or VPN-authenticated users only - this limits the attacker pool to authenticated insiders and reduces the likelihood that a session-hijacking payload reaches high-value victims. Content Security Policy (CSP) headers, if configurable at the reverse proxy layer in front of Cognos, can restrict inline script execution and reduce XSS impact, though this does not eliminate the underlying injection flaw. Note that restricting network access may impact legitimate remote BI users and should be weighed against business continuity requirements.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209974
GHSA-p9wj-7gjh-3h42