CVE-2025-36375
Medium
Low
Medium
High
Critical
6.5
CVSS Score
Vulnerability Description
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
R
Scope
U
Confidentiality
N
Integrity
H
Availability
N
Known Affected Software
3 configuration(s) from 1 vendor(s)
datapower_gateway
Version:
10.5.0.0
CPE:
cpe:2.3:a:ibm:datapower_gateway:10.5.0.0:*:*:*:*:*:*:*
datapower_gateway
Version:
10.5.0.1
CPE:
cpe:2.3:a:ibm:datapower_gateway:10.5.0.1:*:*:*:continuous_delivery:*:*:*
datapower_gateway
Version:
10.5.0.2
CPE:
cpe:2.3:a:ibm:datapower_gateway:10.5.0.2:*:*:*:*:*:*:*
This vulnerability affects 3 software configuration(s). Ensure you patch all affected systems.
References & Resources
Severity Details
6.5
out of 10.0
Medium
Weakness Type (CWE)
CWE-352
Top 25 #4
Cross-Site Request Forgery (CSRF)
- Description
- The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
- Exploit Likelihood
- Medium
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Compound
Key Information
- Published Date
- April 01, 2026
