{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-36326", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:51.462Z", "datePublished": "2025-09-26T14:20:46.219Z", "dateUpdated": "2025-09-26T14:54:41.385Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Cognos Controller", "vendor": "IBM", "versions": [{"lessThanOrEqual": "11.0.1", "status": "affected", "version": "11.0.0", "versionType": "semver"}]}, {"cpes": ["cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Controller", "vendor": "IBM", "versions": [{"lessThanOrEqual": "11.1.1", "status": "affected", "version": "11.1.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."}], "value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-09-26T14:20:46.219Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7246015"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Controller information disclosure", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div><div>Download the script from here: <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></div><div>&nbsp;</div><div>It is strongly recommended that you apply the most recent security updates:</div></div></div>&nbsp; &nbsp; </div><div><table><tbody><tr><td><strong>Affected Product(s)</strong></td><td><strong>Version(s)</strong></td><td><strong>Interim Fix</strong></td></tr><tr><td>IBM Controller</td><td>11.1.0 - 11.1.1</td><td><span style=\"background-color: rgb(255, 255, 255);\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></span></td></tr><tr><td>IBM Cognos Controller</td><td>11.0.0 - 11.0.1 </td><td><span style=\"background-color: rgb(255, 255, 255);\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></span></td></tr></tbody></table></div><p>Prerequisites</p><ol><li>Ensure you are logged in to the server with System Administrator privileges.</li><li>Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.</li></ol><p>Procedure</p><ol><li>Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).</li><li>Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.</li><li>Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.</li><li>After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.</li><li>Confirm that all SSL configuration steps have already been completed if you have enabled SSL.</li><li>Restart the IBM Controller Web UI service.</li></ol><p>Notes</p><ul><li>This script is intended for one-time use only. Do not re-run the script.</li><li>If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or &nbsp; replace server.js with the backed-up file.</li><li>Do not delete the session_passphrase environment variable.</li><li>After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.</li></ul>\n\n<br>"}], "value": "Download the script from here: Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\n\u00a0\n\nIt is strongly recommended that you apply the most recent security updates:\n\n\n\n\n\n\u00a0 \u00a0 \n\nAffected Product(s)Version(s)Interim FixIBM Controller11.1.0 - 11.1.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Cognos Controller11.0.0 - 11.0.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\nPrerequisites\n\n * Ensure you are logged in to the server with System Administrator privileges.\n * Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\nProcedure\n\n * Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\n * Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\n * Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\n * After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\n * Confirm that all SSL configuration steps have already been completed if you have enabled SSL.\n * Restart the IBM Controller Web UI service.\nNotes\n\n * This script is intended for one-time use only. Do not re-run the script.\n * If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u00a0 replace server.js with the backed-up file.\n * Do not delete the session_passphrase environment variable.\n * After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T14:54:16.381196Z", "id": "CVE-2025-36326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T14:54:41.385Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T14:54:16.381196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T14:54:21.348Z"}}], "cna": {"title": "IBM Controller information disclosure", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Cognos Controller", "versions": [{"status": "affected", "version": "11.0.0", "versionType": "semver", "lessThanOrEqual": "11.0.1"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Controller", "versions": [{"status": "affected", "version": "11.1.0", "versionType": "semver", "lessThanOrEqual": "11.1.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ibm.com/support/pages/node/7246015", "tags": ["vendor-advisory", "patch"]}], "workarounds": [{"lang": "en", "value": "Download the script from here: Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\n\u00a0\n\nIt is strongly recommended that you apply the most recent security updates:\n\n\n\n\n\n\u00a0 \u00a0 \n\nAffected Product(s)Version(s)Interim FixIBM Controller11.1.0 - 11.1.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Cognos Controller11.0.0 - 11.0.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes \n\nPrerequisites\n\n * Ensure you are logged in to the server with System Administrator privileges.\n * Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.\nProcedure\n\n * Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).\n * Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.\n * Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.\n * After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.\n * Confirm that all SSL configuration steps have already been completed if you have enabled SSL.\n * Restart the IBM Controller Web UI service.\nNotes\n\n * This script is intended for one-time use only. Do not re-run the script.\n * If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or \u00a0 replace server.js with the backed-up file.\n * Do not delete the session_passphrase environment variable.\n * After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><div>Download the script from here: <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></div><div>&nbsp;</div><div>It is strongly recommended that you apply the most recent security updates:</div></div></div>&nbsp; &nbsp; </div><div><table><tbody><tr><td><strong>Affected Product(s)</strong></td><td><strong>Version(s)</strong></td><td><strong>Interim Fix</strong></td></tr><tr><td>IBM Controller</td><td>11.1.0 - 11.1.1</td><td><span style=\"background-color: rgb(255, 255, 255);\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></span></td></tr><tr><td>IBM Cognos Controller</td><td>11.0.0 - 11.0.1 </td><td><span style=\"background-color: rgb(255, 255, 255);\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+8+Controller&amp;fixids=CNTRL-WS-11.X-PATCH&amp;source=SAR&amp;function=fixId&amp;parent=Cognos\">Fix Central</a></span></td></tr></tbody></table></div><p>Prerequisites</p><ol><li>Ensure you are logged in to the server with System Administrator privileges.</li><li>Create a backup of the server.js file located in the product installation path (e.g., C:\\ccr_64\\frontend) before proceeding.</li></ol><p>Procedure</p><ol><li>Navigate to the directory containing server.js in the product installation path (e.g., C:\\ccr_64\\frontend).</li><li>Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.</li><li>Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.</li><li>After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.</li><li>Confirm that all SSL configuration steps have already been completed if you have enabled SSL.</li><li>Restart the IBM Controller Web UI service.</li></ol><p>Notes</p><ul><li>This script is intended for one-time use only. Do not re-run the script.</li><li>If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or &nbsp; replace server.js with the backed-up file.</li><li>Do not delete the session_passphrase environment variable.</li><li>After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.</li></ul>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.", "supportingMedia": [{"type": "text/html", "value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-09-26T14:20:46.219Z"}}}, "cveMetadata": {"cveId": "CVE-2025-36326", "state": "PUBLISHED", "dateUpdated": "2025-09-26T14:54:41.385Z", "dateReserved": "2025-04-15T21:16:51.462Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2025-09-26T14:20:46.219Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "FACCAE0A-7AE8-4E8A-A407-191C260B6F91", "versionEndIncluding": "11.0.1", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DEB42CB-5D84-498E-82D3-0EA268A4E599", "versionEndIncluding": "11.1.1", "versionStartIncluding": "11.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies."}], "id": "CVE-2025-36326", "lastModified": "2025-10-03T19:14:39.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-09-26T15:16:03.437", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7246015"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}