IBM Planning Analytics Workspace Vulnerabilities Advisory: XSS, Session Fixation, Path Traversal (CVE-2025-2896, 3305, 2504, 23004)

Critical Vulnerability Information Vulnerability Overview IBM Planning Analytics Workspace is affected by multiple vulnerabilities, including Cross-Site Scripting (XSS), path traversal, and session fixation. Vulnerability Details CVE-2025-2896 - Description: IBM Planning Analytics Local contains a Cross-Site Scripting vulnerability that allows authorized users to inject arbitrary JavaScript code into the Web UI. - CVSS Score: 4.8 (Low) - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:S/SC:L/IA:N) CVE-2025-3305 - Description: IBM Planning Analytics Local does not invalidate sessions after expiration, potentially leading to session hijacking. - CVSS Score: 6.3 (Medium) - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) CVE-2024-7892 - Description: The http.cookies standard library module in CPython has a low-severity impact; it uses a quadratic-time algorithm when parsing cookie values containing backslashes, leading to excessive CPU resource consumption. - CVSS Score: 7.5 (High) - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:A/A:H) CVE-2025-2504 - Description: IBM Planning Analytics Local contains a Cross-Site Scripting vulnerability that allows authorized users to inject arbitrary JavaScript code into the Web UI. - CVSS Score: 5.4 (Medium) - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVE-2025-23004 - Description: IBM Planning Analytics Local allows privileged users to delete files in directories, thereby bypassing path restrictions. - CVSS Score: 6.5 (Medium) - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) Affected Products and Versions IBM Planning Analytics Local - IBM Planning Analytics Workspace v2.1 IBM Planning Analytics Local - IBM Planning Analytics Workspace v2.0 Remediation IBM Planning Analytics Local 2.1.11 has been released and is available for download from Fix Central. IBM Planning Analytics Local v2.0.0 Planning Analytics Release 104 is available for download from Fix Central. Workarounds and Mitigations None Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Goal Reached Thanks to every supporter — we hit 100%!

IBM Planning Analytics Workspace Vulnerabilities Advisory: XSS, Session Fixation, Path Traversal (CVE-2025-2896, 3305, 2504, 23004)