CVE-2025-36011 identifies a vulnerability in IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.24, where the application fails to set the 'Secure' attribute on authorization tokens or session cookies. The 'Secure' attribute is a critical security flag that instructs browsers to only send cookies over HTTPS connections, thereby protecting sensitive session information from being transmitted over unencrypted HTTP channels. Without this attribute, session cookies can be inadvertently sent over insecure HTTP links. An attacker can exploit this by tricking a user into clicking an HTTP link or embedding such a link in a website the user visits. When the browser sends the cookie over HTTP, an attacker monitoring the network traffic (e.g., on an unsecured Wi-Fi network) can intercept and steal the cookie value. This stolen cookie can potentially be used to hijack the user's session or gain unauthorized access to the IBM Jazz for Service Management environment. The vulnerability is classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), highlighting a common but impactful misconfiguration in web application security. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (clicking a malicious link). The impact is limited to confidentiality loss of session cookies, with no direct integrity or availability impact. No known exploits are reported in the wild as of the publication date. IBM has not yet provided patch links, indicating that remediation may still be pending or in progress.

For European organizations using IBM Jazz for Service Management, this vulnerability poses a risk of session hijacking through interception of session cookies transmitted over insecure HTTP connections. The confidentiality breach could allow attackers to impersonate legitimate users, potentially accessing sensitive service management data, disrupting workflows, or escalating privileges within the application. Given that IBM Jazz for Service Management is often used in IT service management and operational environments, unauthorized access could lead to exposure of internal processes, service tickets, and possibly sensitive customer or operational data. The risk is heightened in environments where users access the service management portal over public or unsecured networks, such as remote work scenarios common in Europe. However, the absence of known exploits and the medium CVSS score suggest the threat is moderate but should not be ignored. Organizations with strict compliance requirements under GDPR must consider the confidentiality implications seriously, as session cookie leakage could constitute a personal data breach if user identities or personal information are accessible via the compromised sessions.

1. Immediate mitigation involves enforcing HTTPS-only access to IBM Jazz for Service Management portals and ensuring all links and resources use HTTPS URLs exclusively to prevent accidental HTTP requests. 2. IBM and affected organizations should prioritize applying patches or updates that set the 'Secure' attribute on all session and authorization cookies. Until patches are available, organizations can implement web application firewalls (WAFs) or reverse proxies to rewrite cookies with the Secure flag. 3. Educate users to avoid clicking on suspicious or unsecured HTTP links related to the service management system, especially when accessing from untrusted networks. 4. Implement network-level protections such as VPNs or secure Wi-Fi to reduce the risk of traffic interception. 5. Monitor session activity for anomalies indicating possible session hijacking attempts. 6. Review and enforce strict cookie security policies, including HttpOnly and SameSite attributes, to further reduce attack surface. 7. Conduct regular security assessments and penetration testing focused on session management controls within IBM Jazz for Service Management.