{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-33128","assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","state":"PUBLISHED","assignerShortName":"ibm","dateReserved":"2025-04-15T17:51:11.505Z","datePublished":"2026-06-22T13:20:14.904Z","dateUpdated":"2026-06-22T13:20:14.904Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm","dateUpdated":"2026-06-22T13:20:14.904Z"},"title":"IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","type":"CWE"}]}],"affected":[{"vendor":"IBM","product":"Engineering Workflow Management","versions":[{"status":"affected","version":"7.0.3","lessThanOrEqual":"7.0.3 Interim Fix 020","versionType":"semver"},{"status":"affected","version":"7.1.0","lessThanOrEqual":"7.1 Interim Fix 007","versionType":"semver"}],"cpes":["cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:*:*:*:*:*:*:*","cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_020:*:*:*:*:*:*","cpe:2.3:a:ibm:engineering_workflow_management:7.1:*:*:*:*:*:*:*","cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_007:*:*:*:*:*:*","cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_007:*:*:*:*:*:*"]}],"descriptions":[{"lang":"en","value":"IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","supportingMedia":[{"type":"text/html","base64":false,"value":"

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7276116","tags":["vendor-advisory","patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5.4,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}],"solutions":[{"lang":"en","value":"Affected Product(s)Version(s)Remediation/Fix/Instructions\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.0.3Download and install  iFix021 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.1.0Download and install  iFix008 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later","supportingMedia":[{"type":"text/html","base64":false,"value":"
Affected Product(s)Version(s)Remediation/Fix/Instructions

IBM Engineering Lifecycle Management - Engineering Workflow Management

7.0.3Download and install iFix021 or later

IBM Engineering Lifecycle Management - Engineering Workflow Management

7.1.0Download and install iFix008 or later
"}]}],"x_generator":{"engine":"ibm-cvegen"}}}}