CVE-2025-1826
📋 TL;DR
This stored XSS vulnerability in IBM Engineering Requirements Management DOORS Next allows authenticated users to inject malicious JavaScript into the web interface. Attackers could steal session credentials or perform actions as authenticated users. Only authenticated users on the host network can exploit this vulnerability.
💻 Affected Systems
- IBM Engineering Requirements Management DOORS Next
- IBM Jazz Foundation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker steals administrator credentials, gains full system access, and compromises the entire DOORS Next deployment and connected systems.
Likely Case
Authenticated user with malicious intent steals other users' session tokens, leading to unauthorized access to sensitive requirements data.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing credential theft.
🎯 Exploit Status
Requires authenticated access and knowledge of the application interface; attacker must convince victim to interact with malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM Jazz Foundation 7.0.2 iFix035, 7.0.3 iFix017, or 7.1.0 iFix005 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7247292
Restart Required: No
Instructions:
1. Download the appropriate iFix from IBM Fix Central. 2. Apply the iFix according to IBM installation instructions. 3. Verify the patch is applied by checking the version in the web interface.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution sources and prevent inline script execution
Add 'Content-Security-Policy' header with appropriate directives to web server configuration
Input Validation Filtering
allImplement server-side input validation to sanitize user inputs before storage
Configure application to validate and sanitize all user inputs using IBM-recommended methods
🧯 If You Can't Patch
- Implement strict access controls to limit authenticated users to only those who need access
- Monitor application logs for unusual JavaScript injection attempts and user behavior anomalies
🔍 How to Verify
Check if Vulnerable:
Check IBM Jazz Foundation version in web interface: Settings > About > Version InformationCheck Version:
Check web interface or consult IBM documentation for version verification commandsVerify Fix Applied:
Verify version shows 7.0.2 iFix035+, 7.0.3 iFix017+, or 7.1.0 iFix005+ after patching📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in user inputs
- Multiple failed login attempts from new locations after user viewed content
Network Indicators:
- Unexpected outbound connections to external domains from user sessions
- Unusual data exfiltration patterns
SIEM Query:
source="ibm_doors_logs" AND (message="*script*" OR message="*javascript*" OR message="*onclick*") AND severity="HIGH"