IBM has issued a security bulletin detailing two significant vulnerabilities affecting IBM Cloud Pak System installations.
These flaws could enable attackers to execute malicious code and compromise systems through prototype pollution and HTML injection techniques.
The vulnerabilities, tracked as CVE-2020-5258 and CVE-2025-2895, impact multiple versions of the enterprise software platform.
The CVE-2020-5258 vulnerability stems from a prototype pollution flaw in Dojo’s deepCopy method within affected NPM packages.
This allows attackers to inject properties into JavaScript prototype objects, potentially compromising application logic and enabling code execution. Rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), this exploit requires no user interaction.
Simultaneously, CVE-2025-2895 exposes systems to HTML injection attacks (CVSS 5.4: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
This vulnerability permits remote attackers to inject malicious HTML that executes within victims’ browsers when viewed, effectively enabling cross-site scripting (XSS) attacks within the application’s security context.
Both vulnerabilities stem from improper input neutralization – CWE-94 for code injection and CWE-80 for basic XSS.
| Platform | Vulnerable Versions |
|---|---|
| Power | 2.3.3.7, 2.3.3.7 iFix1, 2.3.5.0 |
| Intel | 2.3.3.6, 2.3.3.6 iFix1, 2.3.4.0, 2.3.4.1, 2.3.4.1 iFix1 |
The IBM Cloud Pak System Software Suite version 2.3.4.1 and its subsequent iFix are also confirmed vulnerable.
These vulnerabilities specifically impact the JavaScript implementation within the affected IBM Cloud Pak System deployments.
IBM mandates immediate upgrades to mitigate risks.
For Intel-based systems, upgrade to v2.3.6.0 available via IBM Fix Central or Passport Advantage Online.
Power systems require direct engagement with IBM Support for patching.
No viable workarounds exist, making version upgrades the only effective mitigation against potential exploitation.
Organizations using unsupported versions must transition to supported releases immediately.
IBM has closed related APARs (JR62851, JR62922) as program errors following vulnerability resolution.
The bulletin emphasizes that failure to patch could enable remote code execution and client-side attacks through manipulated web content.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Critical Flaws in IBM Cloud Pak System Allow Malicious HTML Injection appeared first on Cyber Security News.
Game of Thrones alum Charles Dance has reportedly entered talks to join The Batman Part…
Tension: We crave sustainable food innovation yet recoil from eating anything that didn’t come from…
Tension: We perform intimacy online while starving for genuine connection offline. Noise: The algorithm rewards…
This article was published in 2026 and references a historical event from 2013, included here…
Tension: Stepping away from news creates an unexpected void that feels more disorienting than peaceful.…
Tension: We perform authenticity online while claiming to hate performative behavior. Noise: The constant pressure…
This website uses cookies.