CVE-2025-36422

| EUVD-2025-209025 MEDIUM
2026-03-25 ibm
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209025
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:26 nvd
MEDIUM 4.3

Tags

IBM CSRF

Description

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 IBM InfoSphere DataStage Flow Designer is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Analysis

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a cross-site request forgery (CSRF) vulnerability in the DataStage Flow Designer component that allows unauthenticated attackers to trigger unauthorized state-changing actions on behalf of authenticated users. The vulnerability has a CVSS score of 4.3 with low attack complexity and no privileges required, though it requires user interaction (UI:R). A vendor patch is available, and this represents an integrity-focused attack vector rather than confidentiality or availability impact.

Technical Context

This vulnerability exploits the absence of CSRF protections (CWE-352) in the DataStage Flow Designer web interface, a core component of IBM's enterprise data integration platform. The affected CPE range (cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*) indicates the issue affects the entire InfoSphere Information Server product line from version 11.7.0.0 through 11.7.1.6. CSRF attacks against web applications typically leverage the browser's automatic inclusion of session cookies to forge malicious requests. In the context of DataStage Flow Designer, an attacker could embed malicious links or script content that, when visited by an authenticated user, would execute unauthorized operations such as modifying data flows, altering job configurations, or executing pipelines without the user's knowledge or consent.

Affected Products

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected, as confirmed by the provided CPE specification. The vulnerability specifically impacts the DataStage Flow Designer component within these versions. Customers should consult the vendor security advisory available at https://www.ibm.com/support/pages/node/7266685 for precise version confirmation and patch availability details.

Remediation

Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later, applying the patch available from IBM's support page at https://www.ibm.com/support/pages/node/7266685. Organizations unable to patch immediately should implement compensating controls: enforce HTTPS-only access to the DataStage Flow Designer interface, implement HSTS headers, restrict network access to the application via IP whitelisting or VPN-only policies, and educate users about CSRF risks to reduce the likelihood of users clicking malicious links while authenticated to the system. Consider implementing a Web Application Firewall (WAF) with CSRF token validation if available.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-36422 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy