IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Fixes

Solution

Affected JazzSM VersionRecommended FixJazz for Service Management version 1.1.3.0 - 1.1.3.24Install JazzSM 1.1.3.25: 1.1.3-TIV-JazzS https://www.ibm.com/support/fixcentral/swg/downloadFixes


Workaround

No workaround given by the vendor.

History

Fri, 03 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:jazz_for_service_management:*:*:*:*:*:*:*:*

Wed, 10 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
Description IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Title IBM Jazz for Service Management information disclosure
First Time appeared Ibm
Ibm jazz For Service Management
Weaknesses CWE-614
CPEs cpe:2.3:a:ibm:jazz_for_service_management:1.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:jazz_for_service_management:1.1.3.24:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm jazz For Service Management
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-09-10T13:59:38.169Z

Reserved: 2025-04-15T21:16:07.862Z

Link: CVE-2025-36011

cve-icon Vulnrichment

Updated: 2025-09-10T13:59:35.381Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-09T20:15:39.067

Modified: 2025-10-03T19:04:22.843

Link: CVE-2025-36011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.