By rssfeeds-admin 
IBM has issued a security bulletin detailing two significant vulnerabilities affecting IBM Cloud Pak System installations.
These flaws could enable attackers to execute malicious code and compromise systems through prototype pollution and HTML injection techniques.
The vulnerabilities, tracked as CVE-2020-5258 and CVE-2025-2895, impact multiple versions of the enterprise software platform.
Technical Vulnerability Analysis
The CVE-2020-5258 vulnerability stems from a prototype pollution flaw in Dojo’s deepCopy method within affected NPM packages.
This allows attackers to inject properties into JavaScript prototype objects, potentially compromising application logic and enabling code execution. Rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), this exploit requires no user interaction.
Simultaneously, CVE-2025-2895 exposes systems to HTML injection attacks (CVSS 5.4: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
This vulnerability permits remote attackers to inject malicious HTML that executes within victims’ browsers when viewed, effectively enabling cross-site scripting (XSS) attacks within the application’s security context.
Both vulnerabilities stem from improper input neutralization – CWE-94 for code injection and CWE-80 for basic XSS.
Affected Product Versions
| Platform | Vulnerable Versions |
|---|---|
| Power | 2.3.3.7, 2.3.3.7 iFix1, 2.3.5.0 |
| Intel | 2.3.3.6, 2.3.3.6 iFix1, 2.3.4.0, 2.3.4.1, 2.3.4.1 iFix1 |
The IBM Cloud Pak System Software Suite version 2.3.4.1 and its subsequent iFix are also confirmed vulnerable.
These vulnerabilities specifically impact the JavaScript implementation within the affected IBM Cloud Pak System deployments.
Remediation and Upgrade Paths
IBM mandates immediate upgrades to mitigate risks.
For Intel-based systems, upgrade to v2.3.6.0 available via IBM Fix Central or Passport Advantage Online.
Power systems require direct engagement with IBM Support for patching.
No viable workarounds exist, making version upgrades the only effective mitigation against potential exploitation.
Organizations using unsupported versions must transition to supported releases immediately.
IBM has closed related APARs (JR62851, JR62922) as program errors following vulnerability resolution.
The bulletin emphasizes that failure to patch could enable remote code execution and client-side attacks through manipulated web content.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Critical Flaws in IBM Cloud Pak System Allow Malicious HTML Injection appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.