CVE-2025-36011 is a medium-severity vulnerability affecting IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.24. The issue arises because the application does not set the 'Secure' attribute on authorization tokens or session cookies. The 'Secure' attribute is a flag that instructs browsers to only send cookies over HTTPS connections, preventing them from being transmitted over unencrypted HTTP links. Without this attribute, cookies containing sensitive session or authorization information can be sent over insecure HTTP connections if a user follows an HTTP link or visits a site that forces HTTP requests. An attacker can exploit this by tricking users into clicking on crafted HTTP links or by embedding such links in websites the user visits. When the browser sends the cookie over HTTP, the attacker can intercept the cookie value by network traffic sniffing, potentially leading to session hijacking or unauthorized access. This vulnerability is classified under CWE-614, which concerns sensitive cookies being transmitted without the 'Secure' attribute, exposing them to interception. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (clicking a malicious link). The impact is limited to confidentiality loss of session cookies, with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. However, the vulnerability poses a risk to the confidentiality of user sessions in environments where IBM Jazz for Service Management is deployed, especially if users can be socially engineered to click on malicious HTTP links.

For European organizations using IBM Jazz for Service Management, this vulnerability could lead to unauthorized access to service management sessions if attackers successfully intercept session cookies. This could compromise sensitive operational data, disrupt service management workflows, or allow attackers to impersonate legitimate users. Given that IBM Jazz for Service Management is often used in IT service and asset management, unauthorized access could expose internal processes and sensitive information. The confidentiality breach could also lead to compliance issues under GDPR, as unauthorized access to personal or operational data may constitute a data breach. The risk is heightened in environments where users frequently access the service over mixed HTTP/HTTPS environments or where users can be tricked into clicking HTTP links. However, the lack of known exploits and the medium severity score suggest the threat is moderate but should not be ignored. Organizations with remote or mobile users who might access the service from less secure networks are particularly at risk.

To mitigate this vulnerability, organizations should: 1) Immediately review and update IBM Jazz for Service Management to the latest version once IBM releases a patch that sets the 'Secure' attribute on cookies. 2) Enforce strict HTTPS usage by configuring web servers and application gateways to redirect all HTTP traffic to HTTPS, preventing cookies from being sent over insecure channels. 3) Implement HTTP Strict Transport Security (HSTS) headers to ensure browsers only connect via HTTPS. 4) Educate users about the risks of clicking on untrusted HTTP links and encourage vigilance against phishing attempts. 5) Monitor network traffic for unusual HTTP requests that might indicate attempts to exploit this vulnerability. 6) Consider deploying web application firewalls (WAFs) that can detect and block suspicious HTTP traffic targeting the service. 7) Review session management policies to limit session duration and implement additional authentication factors to reduce the impact of stolen cookies. These steps go beyond generic advice by focusing on enforcing HTTPS usage and user awareness to prevent cookie leakage.