Skip to main content

License Metric Tool CVE-2025-36352

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-09-29 psirt@us.ibm.com
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
CVE Published
Sep 29, 2025 - 15:16 nvd
MEDIUM 6.4

DescriptionCVE.org

IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Affected products include: Ibm License Metric Tool. Version information: through 9.2.40.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2016-8964 CRITICAL
9.8 Jul 13

IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force

CVE-2016-8980 HIGH
8.1 Feb 01

IBM BigFix Inventory v9 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error whe

CVE-2023-43044 HIGH
7.5 Sep 28

IBM License Metric Tool 9.2 could allow a remote attacker to traverse directories on the system. Rated high severity (CV

CVE-2014-4774 MEDIUM
6.8 May 25

Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 9.1.0.2 and Endpoi

CVE-2014-8924 MEDIUM
6.4 May 20

The server in IBM License Metric Tool 7.2.2 before IF15 and 7.5 before IF24 and Tivoli Asset Discovery for Distributed 7

CVE-2016-8961 MEDIUM
6.1 Feb 01

IBM BigFix Inventory v9 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. Rated

CVE-2016-8966 MEDIUM
5.9 Feb 01

IBM BigFix Inventory v9 could allow a remote attacker to obtain sensitive information, caused by the failure to properly

CVE-2016-8981 MEDIUM
5.5 Feb 01

IBM BigFix Inventory v9 allows web pages to be stored locally which can be read by another user on the system. Rated med

CVE-2016-8963 MEDIUM
5.5 Feb 01

IBM BigFix Inventory v9 stores potentially sensitive information in log files that could be read by a local user. Rated

CVE-2016-8967 MEDIUM
5.5 Feb 01

IBM BigFix Inventory v9 9.2 stores user credentials in plain in clear text which can be read by a local user. Rated medi

CVE-2016-8977 MEDIUM
5.3 Feb 01

IBM BigFix Inventory v9 could disclose sensitive information to an unauthorized user using HTTP GET requests. Rated medi

CVE-2014-8927 MEDIUM
5.0 May 25

Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for So

Share

CVE-2025-36352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy