Search criteria
6 vulnerabilities found for Business Automation Workflow containers by IBM
CVE-2025-36059 (GCVE-0-2025-36059)
Vulnerability from nvd – Published: 2026-01-20 15:07 – Updated: 2026-01-20 15:54
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.
Severity ?
4.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:54:23.071587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:54:41.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:07:46.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36059",
"datePublished": "2026-01-20T15:07:46.448Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:54:41.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36058 (GCVE-0-2025-36058)
Vulnerability from nvd – Published: 2026-01-20 15:09 – Updated: 2026-01-20 15:53
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
Severity ?
5.5 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:53:03.007740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:09:18.288Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36058",
"datePublished": "2026-01-20T15:09:07.082Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:53:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36054 (GCVE-0-2025-36054)
Vulnerability from nvd – Published: 2025-11-06 14:11 – Updated: 2025-11-06 14:32
VLAI?
Title
Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -
Summary
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
24.0.0 , ≤ 24.0.0-IF006
(semver)
Affected: 24.0.1 , ≤ 24.0.1-IF004 (semver) Affected: 25.0.0 , ≤ 25.0.0-IF001 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T14:31:58.235944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:32:53.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.0-IF006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1-IF004",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.0.0-IF001",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow traditional with Process Federation Server",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "25.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:11:49.396Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7250261"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36054",
"datePublished": "2025-11-06T14:11:49.396Z",
"dateReserved": "2025-04-15T21:16:11.324Z",
"dateUpdated": "2025-11-06T14:32:53.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36058 (GCVE-0-2025-36058)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:09 – Updated: 2026-01-20 15:53
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
Severity ?
5.5 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:53:03.007740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:53:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:09:18.288Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36058",
"datePublished": "2026-01-20T15:09:07.082Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:53:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36059 (GCVE-0-2025-36059)
Vulnerability from cvelistv5 – Published: 2026-01-20 15:07 – Updated: 2026-01-20 15:54
VLAI?
Title
Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025
Summary
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.
Severity ?
4.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
25.0.0 , ≤ 25.0.0 Interim Fix 002
(semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver) Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 006 (semver) cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:54:23.071587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:54:41.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:25.0.0:interim_fix_002:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.1:interim_fix_005:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow_containers:24.0.0:interim_fix_006:*:*:*:*:*:*"
],
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "25.0.0 Interim Fix 002",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 Interim Fix 005",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.0 Interim Fix 006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:07:46.448Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF006\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF007\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0 - V25.0.0-IF002Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1 - V24.0.1-IF005Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0 - V24.0.0-IF006Apply 24.0.0-IF007 https://www.ibm.com/support/pages/node/7159792"
}
],
"title": "Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36059",
"datePublished": "2026-01-20T15:07:46.448Z",
"dateReserved": "2025-04-15T21:16:11.325Z",
"dateUpdated": "2026-01-20T15:54:41.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36054 (GCVE-0-2025-36054)
Vulnerability from cvelistv5 – Published: 2025-11-06 14:11 – Updated: 2025-11-06 14:32
VLAI?
Title
Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -
Summary
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Business Automation Workflow containers |
Affected:
24.0.0 , ≤ 24.0.0-IF006
(semver)
Affected: 24.0.1 , ≤ 24.0.1-IF004 (semver) Affected: 25.0.0 , ≤ 25.0.0-IF001 (semver) cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:* cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T14:31:58.235944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:32:53.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow containers",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.0-IF006",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1-IF004",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.0.0-IF001",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
"cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Business Automation Workflow traditional with Process Federation Server",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "25.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:11:49.396Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7250261"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
}
],
"value": "Remediation/Fixes Affected Product(s) Version(s) Remediation / Fix IBM Business Automation Workflow containers V25.0.0 - V25.0.0-IF001 V24.0.1 - V24.0.1-IF004 V24.0.0 - V24.0.0-IF006 Apply 25.0.0-IF002 or Apply 24.0.1-IF005 or Apply 24.0.0-IF007 IBM Business Automation Workflow traditional with Process Federation Server V25.0.0 V24.0.0 - V24.0.1 earlier unsupported releases Apply DT443492 IBM Business Automation Workflow traditional and containers earlier unsupported releases For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36054",
"datePublished": "2025-11-06T14:11:49.396Z",
"dateReserved": "2025-04-15T21:16:11.324Z",
"dateUpdated": "2025-11-06T14:32:53.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}