cvelistv5 - cve-2025-36172

CVE-2025-36172 (GCVE-0-2025-36172)

Vulnerability from cvelistv5 – Published: 2025-11-03 21:18 – Updated: 2025-11-03 21:41

Summary

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7250047

vendor-advisorypatch

Impacted products

	Vendor	Product	Version
	IBM	Cloud Pak for Business Automation	Affected: 25.0.0 , ≤ 25.0.0 Interim Fix 001 (semver) Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 004 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:::::: cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:::::: cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001::::::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36172",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T21:41:35.325568Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:41:45.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Cloud Pak for Business Automation",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "25.0.0 Interim Fix 001",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.1 Interim Fix 004",
              "status": "affected",
              "version": "24.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.0 Interim Fix 006",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
            }
          ],
          "value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-03T21:18:09.139Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7250047"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002 \u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36172",
    "datePublished": "2025-11-03T21:18:09.139Z",
    "dateReserved": "2025-04-15T21:16:22.577Z",
    "dateUpdated": "2025-11-03T21:41:45.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-36172\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-11-03T22:18:51.097\",\"lastModified\":\"2025-11-05T18:42:42.023\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF879B84-21B0-4FD4-AD2E-7F29EBDD218A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"496D1A48-3403-471F-AD07-AEC7E5000AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA215EC3-DDFE-494D-862C-35CA30D9BEDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_003:*:*:*:*:*:*\",\"matchCriteriaId\":\"969ED94C-DB65-482F-B8B8-251B56DE264D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1810412-5987-4F53-A81E-096A4F0187B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_005:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CC01202-3D62-4544-BE9C-47300063896E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*\",\"matchCriteriaId\":\"23966701-9B59-4CF9-9425-2C029318BF5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F68528C5-034B-4B2C-8745-B969B14B52C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"EADE80E3-4E60-4154-A559-93E2325D799A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"D01FC35C-29F1-4D57-8804-07A5C1E9EA85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D682E4B-DA22-4F88-A38F-76FF080AE0B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"70431A72-663D-432E-9D94-5BBE380E06AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"33128B64-7030-4A4E-8EF2-E285AF44F99F\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7250047\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-36172\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-03T21:41:35.325568Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-03T21:41:38.651Z\"}}], \"cna\": {\"title\": \"Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Cloud Pak for Business Automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"25.0.0 Interim Fix 001\"}, {\"status\": \"affected\", \"version\": \"24.0.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.1 Interim Fix 004\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.0 Interim Fix 006\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002 \u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7250047\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-11-03T21:18:09.139Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-36172\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T21:41:45.434Z\", \"dateReserved\": \"2025-04-15T21:16:22.577Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-11-03T21:18:09.139Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-36172

Vulnerability from fkie_nvd - Published: 2025-11-03 22:18 - Updated: 2025-11-05 18:42

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	psirt@us.ibm.com	https://www.ibm.com/support/pages/node/7250047	Vendor Advisory

Impacted products

Vendor	Product	Version
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.0
ibm	cloud_pak_for_business_automation	24.0.1
ibm	cloud_pak_for_business_automation	24.0.1
ibm	cloud_pak_for_business_automation	24.0.1
ibm	cloud_pak_for_business_automation	24.0.1
ibm	cloud_pak_for_business_automation	25.0.0
ibm	cloud_pak_for_business_automation	25.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "EF879B84-21B0-4FD4-AD2E-7F29EBDD218A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:*",
              "matchCriteriaId": "496D1A48-3403-471F-AD07-AEC7E5000AD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_002:*:*:*:*:*:*",
              "matchCriteriaId": "AA215EC3-DDFE-494D-862C-35CA30D9BEDE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_003:*:*:*:*:*:*",
              "matchCriteriaId": "969ED94C-DB65-482F-B8B8-251B56DE264D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:*",
              "matchCriteriaId": "D1810412-5987-4F53-A81E-096A4F0187B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_005:*:*:*:*:*:*",
              "matchCriteriaId": "9CC01202-3D62-4544-BE9C-47300063896E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*",
              "matchCriteriaId": "23966701-9B59-4CF9-9425-2C029318BF5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "F68528C5-034B-4B2C-8745-B969B14B52C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_001:*:*:*:*:*:*",
              "matchCriteriaId": "EADE80E3-4E60-4154-A559-93E2325D799A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_002:*:*:*:*:*:*",
              "matchCriteriaId": "D01FC35C-29F1-4D57-8804-07A5C1E9EA85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*",
              "matchCriteriaId": "4D682E4B-DA22-4F88-A38F-76FF080AE0B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "70431A72-663D-432E-9D94-5BBE380E06AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*",
              "matchCriteriaId": "33128B64-7030-4A4E-8EF2-E285AF44F99F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
    }
  ],
  "id": "CVE-2025-36172",
  "lastModified": "2025-11-05T18:42:42.023",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.7,
        "source": "psirt@us.ibm.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-11-03T22:18:51.097",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.ibm.com/support/pages/node/7250047"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "psirt@us.ibm.com",
      "type": "Primary"
    }
  ]
}

GHSA-6PX2-J97P-2PF7

Vulnerability from github – Published: 2025-11-04 00:32 – Updated: 2025-11-04 00:32

Details

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-36172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-03T22:18:51Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.",
  "id": "GHSA-6px2-j97p-2pf7",
  "modified": "2025-11-04T00:32:28Z",
  "published": "2025-11-04T00:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36172"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7250047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-36172 (GCVE-0-2025-36172)

FKIE_CVE-2025-36172

GHSA-6PX2-J97P-2PF7

Tags

Sightings

Nomenclature