CVE-2025-36172

03.11.2025, 22:18

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
ibm	CNA	6.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_001
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_002
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_003
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_004
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_005
ibm	cloud_pak_for_business_automation	24.0.0:interim_fix_006
ibm	cloud_pak_for_business_automation	24.0.1
ibm	cloud_pak_for_business_automation	24.0.1:interim_fix_001
ibm	cloud_pak_for_business_automation	24.0.1:interim_fix_002
ibm	cloud_pak_for_business_automation	24.0.1:interim_fix_004
ibm	cloud_pak_for_business_automation	25.0.0
ibm	cloud_pak_for_business_automation	25.0.0:interim_fix_001

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://www.ibm.com/support/pages/node/7250047