Pakistan Telecommunication Authority (PTA) has issued a cybersecurity advisory concerning multiple vulnerabilities in IBM Cognos Analytics, a widely-used data analysis and reporting tool. These vulnerabilities, including cross-site scripting (XSS) issues and improper certificate validation, could be exploited by attackers to compromise systems.
Specifically, the advisory highlights XSS attacks resulting from inadequate validation of column headings within the Cognos Assistant feature. Additionally, issues with improper certificate validation in the IBM Planning Analytics Data Source Connection were identified. These weaknesses could enable remote attackers to execute malicious commands or impersonate trusted entities by manipulating server-to-server communication.
Affected versions include IBM Cognos Analytics 11.2.0 to 11.2.4 and 12.0.0 to 12.0.2. The primary attack vector involves cross-site scripting, with two key vulnerabilities identified as CVE-2024-25041 and CVE-2024-25053. These vulnerabilities pose significant risks, including unauthorized access and potential data breaches.
In response, PTA urges organizations utilizing IBM Cognos Analytics to take immediate action. This includes referring to IBM’s security advisory for patches, upgrades, or workaround solutions. The advisory strongly recommends keeping systems and software updated with the latest security patches to prevent exploitation of known vulnerabilities. Furthermore, organizations are encouraged to diligently monitor for any suspicious activities and promptly report incidents to PTA through their CERT portal or via email.
This advisory reflects PTA’s ongoing commitment to strengthening cybersecurity in Pakistan and safeguarding critical infrastructure. By addressing these vulnerabilities, PTA aims to mitigate risks and protect organizations that rely on IBM Cognos Analytics for data and business intelligence operations. Failure to address these issues could have severe consequences, including financial losses and reputational damage.