CVE-2025-36249

LOW

IBM Jazz for Service Management <1.1.3.25 - Open Redirect

Title source: llm
STIX 2.1

Description

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://www.ibm.com/support/pages/node/7249820

Scores

CVSS v3 3.7
EPSS 0.0001
EPSS Percentile 2.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-614
Status published
Products (1)
ibm/jazz_for_service_management 1.1.3.0 - 1.1.3.26
Published Oct 31, 2025
Tracked Since Feb 18, 2026