CVE-2025-3633 Overview
CVE-2025-3633 is a stored cross-site scripting (XSS) vulnerability affecting IBM Cognos Analytics and IBM Cognos Transformer. The flaw exists in the web user interface and allows a remote authenticated attacker to inject arbitrary JavaScript code. Successful exploitation can alter the intended functionality of the application and lead to credential disclosure within a trusted user session. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated attackers can inject JavaScript into the Cognos web interface to hijack trusted sessions and exfiltrate credentials from victim users interacting with the affected analytics platform.
Affected Products
- IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0
- IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0
- Web user interface components of the above versions
Discovery Timeline
- 2026-05-27 - CVE-2025-3633 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-3633
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input rendered within the Cognos Analytics and Cognos Transformer web user interface. An authenticated attacker with low privileges can submit crafted input that is later reflected or stored in the UI without adequate output encoding. When another user loads the affected page, the injected JavaScript executes in the victim's browser under the origin of the Cognos application.
Because the attack changes the security scope to other components and the user interface, the impact extends beyond the attacker's own session. The injected script runs with the privileges of the targeted user and can interact with any data accessible to that session, including report parameters, dashboard content, and authentication tokens.
Root Cause
The root cause is missing or insufficient sanitization of input fields that are subsequently rendered as HTML or JavaScript context in the Cognos web interface. The application fails to apply context-aware output encoding before placing untrusted data into the rendered page, classifying the defect under [CWE-79].
Attack Vector
Exploitation requires network access to the Cognos web interface, an authenticated low-privileged account, and user interaction from a victim. The attacker stores or delivers malicious payload content through a vulnerable input vector. When a victim views the affected resource, the payload executes and can exfiltrate session cookies, anti-CSRF tokens, or stored credentials to an attacker-controlled endpoint.
No public proof-of-concept exploit code is available at this time. Refer to the IBM Support Page for vendor-specific technical details.
Detection Methods for CVE-2025-3633
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or event-handler attributes (onerror, onload) stored in Cognos report metadata, dashboard objects, or user-controlled fields.
- Outbound HTTP requests from user browsers to unfamiliar domains immediately after loading Cognos pages.
- Anomalous session token usage from IP addresses that differ from the legitimate user's location.
Detection Strategies
- Review Cognos application logs for input submissions containing HTML or JavaScript syntax in fields that should accept only plain text.
- Inspect stored report definitions, prompt values, and dashboard widgets for embedded script payloads.
- Deploy a web application firewall (WAF) rule set to flag XSS patterns targeting Cognos endpoints.
Monitoring Recommendations
- Enable verbose audit logging on Cognos Analytics and forward events to a centralized SIEM for correlation.
- Monitor authentication events for session reuse across geographically distant sources following Cognos UI access.
- Track Content-Security-Policy (CSP) violation reports if CSP headers are configured on the Cognos deployment.
How to Mitigate CVE-2025-3633
Immediate Actions Required
- Apply the security update referenced in the IBM Support Page to all affected Cognos Analytics and Cognos Transformer instances.
- Restrict access to the Cognos web interface to trusted network segments where feasible.
- Audit existing report and dashboard content for previously injected payloads and remove malicious entries.
Patch Information
IBM has published remediation guidance and fixed versions for affected Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 releases, as well as the corresponding Cognos Transformer versions. Administrators should consult the IBM Support Page for the exact fix pack and version numbers applicable to their deployment.
Workarounds
- Enforce a strict Content-Security-Policy header to limit inline script execution on Cognos pages until patches are applied.
- Reduce the number of accounts with content authoring privileges to limit the attacker pool capable of storing payloads.
- Require re-authentication for sensitive operations to reduce the value of hijacked sessions.
# Example Content-Security-Policy header for reverse proxy fronting Cognos
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
