Vulnerability-Lookup

CNVD-2026-12672

Vulnerability from cnvd - Published: 2026-03-05

Title

IBM Cloud Pak for Business Automation存在XSS漏洞

Description

IBM Cloud Pak for Business Automation一个能够提供设计、构建、运行和自动化服务的集成软件组件，可以快速扩展您的程序并全面执行和实施自动化策略。 IBM Cloud Pak for Business Automation存在XSS漏洞，攻击者可利用该漏洞执行任意Web脚本或HTML。

Severity

低

Patch Name

IBM Cloud Pak for Business Automation存在XSS漏洞的补丁

Patch Description

IBM Cloud Pak for Business Automation一个能够提供设计、构建、运行和自动化服务的集成软件组件,可以快速扩展您的程序并全面执行和实施自动化策略。 IBM Cloud Pak for Business Automation存在XSS漏洞，攻击者可利用该漏洞执行任意Web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7259318

Reference

https://www.ibm.com/support/pages/node/7259318

Impacted products

Name
['IBM Cloud Pak for Business Automation >=25.0.0，<=25.0.0 Interim Fix 002', 'IBM Cloud Pak for Business Automation >=24.0.1，<=24.0.1 Interim Fix 005', 'IBM Cloud Pak for Business Automation >=24.0.0，<=24.0.0 Interim Fix 007']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-36436",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-36436"
    }
  },
  "description": "IBM Cloud Pak for Business Automation\u4e00\u4e2a\u80fd\u591f\u63d0\u4f9b\u8bbe\u8ba1\u3001\u6784\u5efa\u3001\u8fd0\u884c\u548c\u81ea\u52a8\u5316\u670d\u52a1\u7684\u96c6\u6210\u8f6f\u4ef6\u7ec4\u4ef6\uff0c\u53ef\u4ee5\u5feb\u901f\u6269\u5c55\u60a8\u7684\u7a0b\u5e8f\u5e76\u5168\u9762\u6267\u884c\u548c\u5b9e\u65bd\u81ea\u52a8\u5316\u7b56\u7565\u3002\n\nIBM Cloud Pak for Business Automation\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7259318",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-12672",
  "openTime": "2026-03-05",
  "patchDescription": "IBM Cloud Pak for Business Automation\u4e00\u4e2a\u80fd\u591f\u63d0\u4f9b\u8bbe\u8ba1\u3001\u6784\u5efa\u3001\u8fd0\u884c\u548c\u81ea\u52a8\u5316\u670d\u52a1\u7684\u96c6\u6210\u8f6f\u4ef6\u7ec4\u4ef6,\u53ef\u4ee5\u5feb\u901f\u6269\u5c55\u60a8\u7684\u7a0b\u5e8f\u5e76\u5168\u9762\u6267\u884c\u548c\u5b9e\u65bd\u81ea\u52a8\u5316\u7b56\u7565\u3002\r\n\r\nIBM Cloud Pak for Business Automation\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Cloud Pak for Business Automation\u5b58\u5728XSS\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Cloud Pak for Business Automation \u003e=25.0.0\uff0c\u003c=25.0.0 Interim Fix 002",
      "IBM Cloud Pak for Business Automation \u003e=24.0.1\uff0c\u003c=24.0.1 Interim Fix 005",
      "IBM Cloud Pak for Business Automation \u003e=24.0.0\uff0c\u003c=24.0.0 Interim Fix 007"
    ]
  },
  "referenceLink": "https://www.ibm.com/support/pages/node/7259318",
  "serverity": "\u4f4e",
  "submitTime": "2026-02-11",
  "title": "IBM Cloud Pak for Business Automation\u5b58\u5728XSS\u6f0f\u6d1e"
}

CVE-2025-36436 (GCVE-0-2025-36436)

Vulnerability from cvelistv5 – Published: 2026-02-02 21:51 – Updated: 2026-02-04 16:54

Title

Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.

Summary

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7259318

vendor-advisorypatch

Impacted products

	Vendor	Product	Version
	IBM	Cloud Pak for Business Automation	Affected: 25.0.0 , ≤ 25.0.0 Interim Fix 002 (semver) Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 007 (semver) cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_002:::::: cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_005:::::: cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:::::::* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_007::::::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36436",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:48.520703Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:54:09.241Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_002:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_005:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_007:*:*:*:*:*:*"
          ],
          "product": "Cloud Pak for Business Automation",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "25.0.0 Interim Fix 002",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.1 Interim Fix 005",
              "status": "affected",
              "version": "24.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.0 Interim Fix 007",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007\u0026nbsp; is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
            }
          ],
          "value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007\u00a0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T21:51:04.342Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7259318"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eVersion(s)\u003c/td\u003e\u003ctd\u003eRemediation / Fix\u003c/td\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2500-if003\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2401-if006\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF007\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2400-if008\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u0026nbsp;\u003c/div\u003e"
            }
          ],
          "value": "Affected Product(s)Version(s)Remediation / FixIBM Cloud Pak for Business AutomationV25.0.0 - V25.0.0-IF002Apply security fix  25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2500-if003 IBM Cloud Pak for Business AutomationV24.0.1 - V24.0.1-IF005Apply security fix  24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2401-if006 IBM Cloud Pak for Business AutomationV24.0.0 - V24.0.0-IF007Apply security fix  24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2400-if008"
        }
      ],
      "title": "Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36436",
    "datePublished": "2026-02-02T21:51:04.342Z",
    "dateReserved": "2025-04-15T21:17:03.969Z",
    "dateUpdated": "2026-02-04T16:54:09.241Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-12672

CVE-2025-36436 (GCVE-0-2025-36436)

Tags

Sightings

Nomenclature