Severity
Medium
Analysis Summary
CVE-2025-33005 CVSS:6.3
IBM Planning Analytics Local does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
CVE-2025-33004 CVSS:6.5
IBM Planning Analytics Local could allow a privileged user to delete files from directories due to improper pathname restriction.
CVE-2025-2896 CVSS:4.8
IBM Planning Analytics Local is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2025-25044 CVSS:5.4
IBM Planning Analytics Local is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Impact
- Code Execution
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-33005
CVE-2025-33004
CVE-2025-2896
CVE-2025-25044
Affected Vendors
- IBM
Affected Products
- IBM Planning Analytics Local - 2.0
- IBM Planning Analytics Local - 2.1
Remediation
Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.