CVE-2025-36011

MEDIUM

IBM Jazz for Service Management <1.1.3.24 - Open Redirect

Title source: llm
STIX 2.1

Description

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://www.ibm.com/support/pages/node/7244357

Scores

CVSS v3 4.3
EPSS 0.0001
EPSS Percentile 2.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-614
Status published
Products (1)
ibm/jazz_for_service_management 1.1.3.0 - 1.1.3.25
Published Sep 09, 2025
Tracked Since Feb 18, 2026