CVE-2025-36172 (GCVE-0-2025-36172)
Vulnerability from cvelistv5
Published
2025-11-03 21:18
Modified
2025-11-03 21:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
References
| URL | Tags | ||||||
|---|---|---|---|---|---|---|---|
|
|||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Cloud Pak for Business Automation |
Version: 25.0.0 ≤ 25.0.0 Interim Fix 001 Version: 24.0.1 ≤ 24.0.1 Interim Fix 004 Version: 24.0.0 ≤ 24.0.0 Interim Fix 006 cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T21:41:35.325568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T21:41:45.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cloud Pak for Business Automation",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 001",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 004",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T21:18:09.139Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7250047"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002 \u003c/p\u003e"
}
],
"value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36172",
"datePublished": "2025-11-03T21:18:09.139Z",
"dateReserved": "2025-04-15T21:16:22.577Z",
"dateUpdated": "2025-11-03T21:41:45.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-36172\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-11-03T22:18:51.097\",\"lastModified\":\"2025-11-05T18:42:42.023\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF879B84-21B0-4FD4-AD2E-7F29EBDD218A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"496D1A48-3403-471F-AD07-AEC7E5000AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA215EC3-DDFE-494D-862C-35CA30D9BEDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_003:*:*:*:*:*:*\",\"matchCriteriaId\":\"969ED94C-DB65-482F-B8B8-251B56DE264D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1810412-5987-4F53-A81E-096A4F0187B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_005:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CC01202-3D62-4544-BE9C-47300063896E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*\",\"matchCriteriaId\":\"23966701-9B59-4CF9-9425-2C029318BF5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F68528C5-034B-4B2C-8745-B969B14B52C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"EADE80E3-4E60-4154-A559-93E2325D799A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"D01FC35C-29F1-4D57-8804-07A5C1E9EA85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D682E4B-DA22-4F88-A38F-76FF080AE0B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"70431A72-663D-432E-9D94-5BBE380E06AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"33128B64-7030-4A4E-8EF2-E285AF44F99F\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7250047\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-36172\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-03T21:41:35.325568Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-03T21:41:38.651Z\"}}], \"cna\": {\"title\": \"Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Cloud Pak for Business Automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"25.0.0 Interim Fix 001\"}, {\"status\": \"affected\", \"version\": \"24.0.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.1 Interim Fix 004\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.0 Interim Fix 006\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Cloud Pak for Business Automation V25.0.0 - V25.0.0-IF001 Apply security fix 25.0.0-IF002 IBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF004 Upgrade and apply security fix 24.0.1-IF005 IBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF006 Apply security fix 24.0.0-IF007 IBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF007 or 24.0.1-IF005 or 25.0.0-IF002 \u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7250047\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-11-03T21:18:09.139Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-36172\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T21:41:45.434Z\", \"dateReserved\": \"2025-04-15T21:16:22.577Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-11-03T21:18:09.139Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…