CVE-2025-36132 in Planning Analytics Local
Summary
by MITRE • 09/30/2025
IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/30/2025
IBM Planning Analytics Local versions 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 contain a cross-site scripting vulnerability that represents a critical security weakness in the web-based user interface. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in software applications. The flaw occurs when the application fails to properly sanitize user input before rendering it within the web interface, allowing malicious JavaScript code to be executed in the context of a victim's browser session. Attackers who have already gained authentication credentials can exploit this vulnerability to inject malicious scripts that can manipulate the user interface and potentially steal session cookies or other sensitive information.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to manipulate the intended functionality of the planning analytics application. When an authenticated user interacts with the vulnerable system, the malicious JavaScript code becomes part of the web page rendering process, creating a persistent threat that can alter how the application behaves for that user. This vulnerability particularly threatens the confidentiality and integrity of user sessions since it allows for credential disclosure within a trusted session context. The attack vector requires authentication, meaning that an attacker must first obtain valid user credentials, but once achieved, they can leverage this XSS flaw to escalate their privileges and access sensitive planning data.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1059.007 which covers script injection attacks, and specifically targets the web application layer where user interface elements are processed. The vulnerability represents a significant risk to organizations using IBM Planning Analytics Local since it can enable attackers to perform session hijacking, data exfiltration, and potentially gain access to additional system resources through the compromised user session. The affected versions span multiple release streams, indicating this is likely a widespread issue affecting various deployment scenarios of the planning analytics platform.
Organizations should immediately implement mitigations including input validation and output encoding for all user-supplied data within the web interface, implementing proper content security policies to prevent unauthorized script execution, and conducting thorough security assessments of the application's input handling mechanisms. The recommended approach involves deploying web application firewalls that can detect and block malicious script injection attempts, while also ensuring that all user inputs are properly sanitized before being rendered in the browser. Additionally, organizations should enforce strict access controls and implement multi-factor authentication to reduce the risk of unauthorized access to the system, as the vulnerability requires authentication to exploit. Regular security updates and patches should be applied promptly to address this vulnerability and prevent potential exploitation by threat actors.