Client-Side Desync Vulnerability in IBM Cognos Controller
CVE-2022-39163

4.7MEDIUM

Key Information:

Vendor: IBM
Status: Cognos Controller; Controller
Vendor: CVE Published:; 26 March 2025

What is CVE-2022-39163?

IBM Cognos Controller versions 11.0.0 through 11.1.0 are susceptible to a Client-Side Desync (CSD) attack. This vulnerability allows an attacker to exploit a desynchronized connection in the browser, potentially leading to the execution of cross-site scripting (XSS) attacks. Malicious actors can manipulate the user session or inject harmful scripts, compromising sensitive user data and application integrity.

Affected Version(s)

Cognos Controller 11.0.0 <= 11.0.1

Controller 11.1.0

References

https://www.ibm.com/support/pages/node/7192746

vendor-advisorypatch

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Sep 1, 2022

JSON