Critical Flaws in IBM Cloud Pak System Allow Malicious HTML Injection

IBM has issued a security bulletin detailing two significant vulnerabilities affecting IBM Cloud Pak System installations.

These flaws could enable attackers to execute malicious code and compromise systems through prototype pollution and HTML injection techniques.

The vulnerabilities, tracked as CVE-2020-5258 and CVE-2025-2895, impact multiple versions of the enterprise software platform.

Technical Vulnerability Analysis

The CVE-2020-5258 vulnerability stems from a prototype pollution flaw in Dojo’s deepCopy method within affected NPM packages.

This allows attackers to inject properties into JavaScript prototype objects, potentially compromising application logic and enabling code execution. Rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), this exploit requires no user interaction.

Simultaneously, CVE-2025-2895 exposes systems to HTML injection attacks (CVSS 5.4: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

This vulnerability permits remote attackers to inject malicious HTML that executes within victims’ browsers when viewed, effectively enabling cross-site scripting (XSS) attacks within the application’s security context.

Both vulnerabilities stem from improper input neutralization – CWE-94 for code injection and CWE-80 for basic XSS.

Affected Product Versions

PlatformVulnerable Versions
Power2.3.3.7, 2.3.3.7 iFix1, 2.3.5.0
Intel2.3.3.6, 2.3.3.6 iFix1, 2.3.4.0, 2.3.4.1, 2.3.4.1 iFix1

The IBM Cloud Pak System Software Suite version 2.3.4.1 and its subsequent iFix are also confirmed vulnerable.

These vulnerabilities specifically impact the JavaScript implementation within the affected IBM Cloud Pak System deployments.

Remediation and Upgrade Paths

IBM mandates immediate upgrades to mitigate risks.

For Intel-based systems, upgrade to v2.3.6.0 available via IBM Fix Central or Passport Advantage Online.

Power systems require direct engagement with IBM Support for patching.

No viable workarounds exist, making version upgrades the only effective mitigation against potential exploitation.

Organizations using unsupported versions must transition to supported releases immediately.

IBM has closed related APARs (JR62851, JR62922) as program errors following vulnerability resolution.

The bulletin emphasizes that failure to patch could enable remote code execution and client-side attacks through manipulated web content.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here