Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
8 vulnerabilities found for Business Automation Workflow containers by IBM
CVE-2025-13096 (GCVE-0-2025-13096)
Vulnerability from nvd – Published: 2026-02-02 20:56 – Updated: 2026-02-03 15:39
VLAI?
Title
XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -
Summary
IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity ?
7.1 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
V25.0.0 , ≤ V25.0.0-IF002
(semver)
Affected: V24.0.1 , ≤ V24.0.1-IF005 (semver) Affected: V24.0.0 , ≤ V24.0.0-IF007 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:38:54.551059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:39:59.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "V25.0.0-IF002",
"status": "affected",
"version": "V25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "V24.0.1-IF005",
"status": "affected",
"version": "V24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "V24.0.0-IF007",
"status": "affected",
"version": "V24.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"product": "Business Automation Workflow traditional",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "25.0.0"
},
{
"status": "affected",
"version": "24.0.1"
},
{
"status": "affected",
"version": "24.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers V25.0.0 through V25.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.1 - V24.0.1\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.0 - V24.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u0026nbsp;remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u0026nbsp;resources.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u00a0remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u00a0resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:56:48.318Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7259321"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;as soon as practical.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u0026nbsp;\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0as soon as practical.\n\nAffected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0Apply 24.0.0-IF008 https://www.ibm.com/support/pages/node/7159792 IBM Business Automation Workflow traditionalV25.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes IBM Business Automation Workflow traditional V24.0.1Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes IBM Business Automation Workflow traditional \u00a0V24.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes"
}
],
"title": "XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13096",
"datePublished": "2026-02-02T20:56:48.318Z",
"dateReserved": "2025-11-12T21:55:13.229Z",
"dateUpdated": "2026-02-03T15:39:59.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36059 (GCVE-0-2025-36059)
Vulnerability from nvd – Published: 2026-01-20 15:07 – Updated: 2026-01-20 15:54
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.
Severity ?
4.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:54:23.071587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:54:41.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:07:46.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36059",
"datePublished": "2026-01-20T15:07:46.448Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:54:41.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36058 (GCVE-0-2025-36058)
Vulnerability from nvd – Published: 2026-01-20 15:09 – Updated: 2026-01-20 15:53
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
Severity ?
5.5 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:53:03.007740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:09:18.288Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36058",
"datePublished": "2026-01-20T15:09:07.082Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:53:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36054 (GCVE-0-2025-36054)
Vulnerability from nvd – Published: 2025-11-06 14:11 – Updated: 2025-11-06 14:32
VLAI?
Title
Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -
Summary
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
24.0.0 , ≤ 24.0.0-IF006
(semver)
Affected: 24.0.1 , ≤ 24.0.1-IF004 (semver) Affected: 25.0.0 , ≤ 25.0.0-IF001 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T14:31:58.235944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:32:53.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.0-IF006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1-IF004",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.0.0-IF001",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow traditional with Process Federation Server",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "25.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:11:49.396Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7250261"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36054",
"datePublished": "2025-11-06T14:11:49.396Z",
"dateReserved": "2025-04-15T21:16:11.324Z",
"dateUpdated": "2025-11-06T14:32:53.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13096 (GCVE-0-2025-13096)
Vulnerability from cvelistv5 – Published: 2026-02-02 20:56 – Updated: 2026-02-03 15:39
VLAI?
Title
XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -
Summary
IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity ?
7.1 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
V25.0.0 , ≤ V25.0.0-IF002
(semver)
Affected: V24.0.1 , ≤ V24.0.1-IF005 (semver) Affected: V24.0.0 , ≤ V24.0.0-IF007 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:38:54.551059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:39:59.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "V25.0.0-IF002",
"status": "affected",
"version": "V25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "V24.0.1-IF005",
"status": "affected",
"version": "V24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "V24.0.0-IF007",
"status": "affected",
"version": "V24.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"product": "Business Automation Workflow traditional",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "25.0.0"
},
{
"status": "affected",
"version": "24.0.1"
},
{
"status": "affected",
"version": "24.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers V25.0.0 through V25.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.1 - V24.0.1\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.0 - V24.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u0026nbsp;remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u0026nbsp;resources.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u00a0remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u00a0resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:56:48.318Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7259321"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;as soon as practical.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u0026nbsp;\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0as soon as practical.\n\nAffected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0Apply 24.0.0-IF008 https://www.ibm.com/support/pages/node/7159792 IBM Business Automation Workflow traditionalV25.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes IBM Business Automation Workflow traditional V24.0.1Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes IBM Business Automation Workflow traditional \u00a0V24.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes"
}
],
"title": "XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13096",
"datePublished": "2026-02-02T20:56:48.318Z",
"dateReserved": "2025-11-12T21:55:13.229Z",
"dateUpdated": "2026-02-03T15:39:59.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36058 (GCVE-0-2025-36058)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:09 – Updated: 2026-01-20 15:53
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
Severity ?
5.5 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:53:03.007740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:09:18.288Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36058",
"datePublished": "2026-01-20T15:09:07.082Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:53:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36059 (GCVE-0-2025-36059)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:07 – Updated: 2026-01-20 15:54
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.
Severity ?
4.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:54:23.071587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:54:41.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:07:46.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36059",
"datePublished": "2026-01-20T15:07:46.448Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:54:41.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36054 (GCVE-0-2025-36054)
Vulnerability from cvelistv5 – Published: 2025-11-06 14:11 – Updated: 2025-11-06 14:32
VLAI?
Title
Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -
Summary
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
24.0.0 , ≤ 24.0.0-IF006
(semver)
Affected: 24.0.1 , ≤ 24.0.1-IF004 (semver) Affected: 25.0.0 , ≤ 25.0.0-IF001 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T14:31:58.235944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:32:53.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.0-IF006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1-IF004",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.0.0-IF001",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow traditional with Process Federation Server",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "25.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:11:49.396Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7250261"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36054",
"datePublished": "2025-11-06T14:11:49.396Z",
"dateReserved": "2025-04-15T21:16:11.324Z",
"dateUpdated": "2025-11-06T14:32:53.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}