CVE-2025-27367

IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to improper input validation due to bypassing of client-side validation for the data types and requiredness of fields for GRC Objects when an authenticated user sends a specially crafted payload to the server allowing for data to be saved without storing the required fields.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.ibm.com/support/pages/node/7239155	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:ibm:openpages_with_watson::::::::
	cpe:2.3:a:ibm:openpages_with_watson::::::::

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

14 Jul 2025, 18:00

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux Microsoft windows Microsoft Ibm Ibm openpages With Watson
References	~~() https://www.ibm.com/support/pages/node/7239155 -~~	() https://www.ibm.com/support/pages/node/7239155 - Vendor Advisory, Patch
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:a:ibm:openpages_with_watson::::::::

10 Jul 2025, 13:18

Type	Values Removed	Values Added
Summary		(es) IBM OpenPages con Watson 8.3 y 9.0 es vulnerable a una validación de entrada incorrecta debido a la omisión de la validación del lado del cliente para los tipos de datos y la exigencia de campos para objetos GRC cuando un usuario autenticado envía un paylad especialmente manipulado al servidor que permite guardar los datos sin almacenar los campos requeridos.

08 Jul 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-08 19:15

Updated : 2025-07-14 18:00

NVD link : CVE-2025-27367

Mitre link : CVE-2025-27367

CVE.ORG link : CVE-2025-27367

JSON object : View

Products Affected

ibm

openpages_with_watson

microsoft

windows

linux

linux_kernel

CWE

CWE-602

Client-Side Enforcement of Server-Side Security

{"id": "CVE-2025-27367", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-07-08T19:15:40.150", "references": [{"url": "https://www.ibm.com/support/pages/node/7239155", "tags": ["Vendor Advisory", "Patch"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-602"}]}], "descriptions": [{"lang": "en", "value": "IBM OpenPages with Watson 8.3 and 9.0 \n\n\n\n\n\nis vulnerable to improper input validation due to bypassing of client-side validation for the data types and requiredness of fields for GRC Objects when an authenticated user sends a specially crafted payload to the server allowing for data to be saved without storing the required fields."}, {"lang": "es", "value": "IBM OpenPages con Watson 8.3 y 9.0 es vulnerable a una validaci\u00f3n de entrada incorrecta debido a la omisi\u00f3n de la validaci\u00f3n del lado del cliente para los tipos de datos y la exigencia de campos para objetos GRC cuando un usuario autenticado env\u00eda un paylad especialmente manipulado al servidor que permite guardar los datos sin almacenar los campos requeridos."}], "lastModified": "2025-07-14T18:00:43.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:openpages_with_watson:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B775AA03-AC22-45B0-B12E-9DD2264A8417", "versionEndExcluding": "8.3.0.3.2", "versionStartIncluding": "8.3"}, {"criteria": "cpe:2.3:a:ibm:openpages_with_watson:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6D5F2A0-43A0-4A87-BA18-D0AA55A1091F", "versionEndExcluding": "9.0.0.5.3", "versionStartIncluding": "9.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@us.ibm.com"}