Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0292
Vulnerability from certfr_avis - Published: 2026-03-13 - Updated: 2026-03-13
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere Service Registry and Repository | WebSphere Service Registry and Repository versions 8.5 antérieures à 8.5.5.30 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.1 antérieures à 6.4.1.0 iFix01 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.3.x antérieures à 6.3.1.0 iFix06 | ||
| IBM | N/A | Sterling Secure Proxy versions 6.2.0 antérieures à 6.2.0.3 GA | ||
| IBM | Sterling Partner Engagement Manager Standard Edition | Sterling Partner Engagement Manager Standard Edition versions 6.2.3 antérieures à 6.2.3.6 | ||
| IBM | N/A | Sterling Secure Proxy versions 6.2.1 antérieures à 6.2.1.2 GA | ||
| IBM | N/A | Sterling Secure Proxy versions 6.1.0 antérieures à 6.1.0.3 GA | ||
| IBM | Sterling Partner Engagement Manager Essentials Edition | Sterling Partner Engagement Manager Essentials Edition versions 6.2.3 antérieures à 6.2.3.6 | ||
| IBM | Sterling Partner Engagement Manager Standard Edition | Sterling Partner Engagement Manager Standard Edition versions 6.2.4 antérieures à 6.2.4.3 | ||
| IBM | Sterling Partner Engagement Manager Essentials Edition | Sterling Partner Engagement Manager Essentials Edition versions 6.2.4 antérieures à 6.2.4.3 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.0 antérieures à 6.4.0.0 iFix02 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere Service Registry and Repository versions 8.5 ant\u00e9rieures \u00e0 8.5.5.30",
"product": {
"name": "WebSphere Service Registry and Repository",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.1 ant\u00e9rieures \u00e0 6.4.1.0 iFix01",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.3.x ant\u00e9rieures \u00e0 6.3.1.0 iFix06",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.0 ant\u00e9rieures \u00e0 6.2.0.3 GA",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.3 ant\u00e9rieures \u00e0 6.2.3.6",
"product": {
"name": "Sterling Partner Engagement Manager Standard Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.1 ant\u00e9rieures \u00e0 6.2.1.2 GA",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.1.0 ant\u00e9rieures \u00e0 6.1.0.3 GA",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.3 ant\u00e9rieures \u00e0 6.2.3.6",
"product": {
"name": "Sterling Partner Engagement Manager Essentials Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.4 ant\u00e9rieures \u00e0 6.2.4.3",
"product": {
"name": "Sterling Partner Engagement Manager Standard Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.4 ant\u00e9rieures \u00e0 6.2.4.3",
"product": {
"name": "Sterling Partner Engagement Manager Essentials Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.0 ant\u00e9rieures \u00e0 6.4.0.0 iFix02",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-13718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13718"
},
{
"name": "CVE-2025-5115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
},
{
"name": "CVE-2025-41248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
},
{
"name": "CVE-2025-50106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50106"
},
{
"name": "CVE-2019-13990",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
},
{
"name": "CVE-2025-30754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
},
{
"name": "CVE-2016-1000338",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000338"
},
{
"name": "CVE-2025-13726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13726"
},
{
"name": "CVE-2025-12383",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12383"
},
{
"name": "CVE-2016-1000342",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000342"
},
{
"name": "CVE-2021-33813",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33813"
},
{
"name": "CVE-2025-13723",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13723"
},
{
"name": "CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"name": "CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"name": "CVE-2025-50059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
},
{
"name": "CVE-2025-30761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30761"
},
{
"name": "CVE-2025-13702",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13702"
},
{
"name": "CVE-2023-46233",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46233"
},
{
"name": "CVE-2015-5922",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5922"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2016-1000340",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000340"
},
{
"name": "CVE-2025-30749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30749"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2025-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
},
{
"name": "CVE-2025-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14811"
},
{
"name": "CVE-2025-53066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
},
{
"name": "CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
}
],
"initial_release_date": "2026-03-13T00:00:00",
"last_revision_date": "2026-03-13T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0292",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-03-09",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7262893",
"url": "https://www.ibm.com/support/pages/node/7262893"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263064",
"url": "https://www.ibm.com/support/pages/node/7263064"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263063",
"url": "https://www.ibm.com/support/pages/node/7263063"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263065",
"url": "https://www.ibm.com/support/pages/node/7263065"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263060",
"url": "https://www.ibm.com/support/pages/node/7263060"
},
{
"published_at": "2026-03-12",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263391",
"url": "https://www.ibm.com/support/pages/node/7263391"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263061",
"url": "https://www.ibm.com/support/pages/node/7263061"
},
{
"published_at": "2026-03-09",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7262894",
"url": "https://www.ibm.com/support/pages/node/7262894"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263211",
"url": "https://www.ibm.com/support/pages/node/7263211"
},
{
"published_at": "2026-03-10",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263059",
"url": "https://www.ibm.com/support/pages/node/7263059"
}
]
}
CVE-2025-12383 (GCVE-0-2025-12383)
Vulnerability from cvelistv5 – Published: 2025-11-18 15:14 – Updated: 2025-11-18 21:34
VLAI
EPSS
Title
Race Condition allows Bypass of Trust Restrictions
Summary
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Jersey |
Affected:
2.45
Affected: 3.0.16 Affected: 3.1.9 |
Credits
Dimitri Tenenbaum
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:34:28.248675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:34:35.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jersey",
"repo": "https://github.com/eclipse-ee4j/jersey",
"vendor": "Eclipse Foundation",
"versions": [
{
"status": "affected",
"version": "2.45"
},
{
"status": "affected",
"version": "3.0.16"
},
{
"status": "affected",
"version": "3.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dimitri Tenenbaum"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)"
}
],
"value": "In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T15:14:37.765Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/74"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Race Condition allows Bypass of Trust Restrictions",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2025-12383",
"datePublished": "2025-11-18T15:14:37.765Z",
"dateReserved": "2025-10-28T10:21:45.989Z",
"dateUpdated": "2025-11-18T21:34:35.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13702 (GCVE-0-2025-13702)
Vulnerability from cvelistv5 – Published: 2026-03-13 18:33 – Updated: 2026-05-10 13:50
VLAI
EPSS
Title
IBM Sterling Partner Engagement Manager Cross-Site Scripting
Summary
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7263391 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Affected:
6.2.3.0 , ≤ 6.2.3.5
(semver)
Affected: 6.2.4.0 , ≤ 6.2.4.2 (semver) cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:35:30.711827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:50:08.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*"
],
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.3.5",
"status": "affected",
"version": "6.2.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.4.2",
"status": "affected",
"version": "6.2.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:33:12.740Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7263391"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3"
}
],
"title": "IBM Sterling Partner Engagement Manager Cross-Site Scripting",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13702",
"datePublished": "2026-03-13T18:33:12.740Z",
"dateReserved": "2025-11-25T21:44:06.902Z",
"dateUpdated": "2026-05-10T13:50:08.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13718 (GCVE-0-2025-13718)
Vulnerability from cvelistv5 – Published: 2026-03-13 18:33 – Updated: 2026-03-13 19:35
VLAI
EPSS
Title
IBM Sterling Partner Engagement Manager Information Disclosure
Summary
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7263391 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Affected:
6.2.3.0 , ≤ 6.2.3.5
(semver)
Affected: 6.2.4.0 , ≤ 6.2.4.2 (semver) cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:35:02.981039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:35:14.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*"
],
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.3.5",
"status": "affected",
"version": "6.2.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.4.2",
"status": "affected",
"version": "6.2.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.\u003c/p\u003e"
}
],
"value": "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:33:07.785Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7263391"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3"
}
],
"title": "IBM Sterling Partner Engagement Manager Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13718",
"datePublished": "2026-03-13T18:33:07.785Z",
"dateReserved": "2025-11-25T22:03:39.987Z",
"dateUpdated": "2026-03-13T19:35:14.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13723 (GCVE-0-2025-13723)
Vulnerability from cvelistv5 – Published: 2026-03-13 18:32 – Updated: 2026-03-13 19:34
VLAI
EPSS
Title
IBM Sterling Partner Engagement Manager Information Disclosure
Summary
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-324 - Use of a Key Past its Expiration Date
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7263391 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Affected:
6.2.3.0 , ≤ 6.2.3.5
(semver)
Affected: 6.2.4.0 , ≤ 6.2.4.2 (semver) cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:34:40.654031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:34:50.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*"
],
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.3.5",
"status": "affected",
"version": "6.2.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.4.2",
"status": "affected",
"version": "6.2.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token\u003c/p\u003e"
}
],
"value": "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324 Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:32:45.559Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7263391"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3"
}
],
"title": "IBM Sterling Partner Engagement Manager Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13723",
"datePublished": "2026-03-13T18:32:45.559Z",
"dateReserved": "2025-11-25T22:23:37.869Z",
"dateUpdated": "2026-03-13T19:34:50.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13726 (GCVE-0-2025-13726)
Vulnerability from cvelistv5 – Published: 2026-03-13 18:26 – Updated: 2026-03-13 19:33
VLAI
EPSS
Title
IBM Sterling Partner Engagement Manager Information Disclosure
Summary
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7263391 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Affected:
6.2.3.0 , ≤ 6.2.3.5
(semver)
Affected: 6.2.4.0 , ≤ 6.2.4.2 (semver) cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T19:33:04.414024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T19:33:11.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.3.5",
"status": "affected",
"version": "6.2.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.4.2",
"status": "affected",
"version": "6.2.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.\u003c/p\u003e"
}
],
"value": "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:36:15.520Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7263391"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling Partner Engagement Manager Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-13726",
"datePublished": "2026-03-13T18:26:34.401Z",
"dateReserved": "2025-11-25T22:33:37.887Z",
"dateUpdated": "2026-03-13T19:33:11.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14811 (GCVE-0-2025-14811)
Vulnerability from cvelistv5 – Published: 2026-03-13 18:22 – Updated: 2026-03-13 18:44
VLAI
EPSS
Title
IBM Sterling Partner Engagement Manager Information Disclosure
Summary
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-598 - Use of GET Request Method With Sensitive Query Strings
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7263391 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Affected:
6.2.3.0 , ≤ 6.2.3.5
(semver)
Affected: 6.2.4.0 , ≤ 6.2.4.2 (semver) cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T18:43:54.981647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:44:03.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*"
],
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.3.5",
"status": "affected",
"version": "6.2.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.4.2",
"status": "affected",
"version": "6.2.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.\u003c/p\u003e"
}
],
"value": "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598 Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:22:26.754Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7263391"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3\u003c/p\u003e"
}
],
"value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 \u2013 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 \u2013 6.2.4.2 6.2.4.3 Download 6.2.4.3"
}
],
"title": "IBM Sterling Partner Engagement Manager Information Disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-14811",
"datePublished": "2026-03-13T18:22:00.496Z",
"dateReserved": "2025-12-16T23:18:27.896Z",
"dateUpdated": "2026-03-13T18:44:03.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30749 (GCVE-0-2025-30749)
Vulnerability from cvelistv5 – Published: 2025-07-15 19:27 – Updated: 2026-02-26 17:50
VLAI
EPSS
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
- CWE-noinfo Not enough information
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Oracle Corporation | Oracle Java SE |
Affected:
8u451
Affected: 8u451-perf Affected: 11.0.27 Affected: 17.0.15 Affected: 21.0.7 Affected: 24.0.1 |
|
| Oracle Corporation | Oracle GraalVM for JDK |
Affected:
17.0.15
Affected: 21.0.7 Affected: 24.0.1 |
|
| Oracle Corporation | Oracle GraalVM Enterprise Edition |
Affected:
21.3.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T03:56:14.041830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:38.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:47:55.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00014.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Oracle Java SE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "8u451"
},
{
"status": "affected",
"version": "8u451-perf"
},
{
"status": "affected",
"version": "11.0.27"
},
{
"status": "affected",
"version": "17.0.15"
},
{
"status": "affected",
"version": "21.0.7"
},
{
"status": "affected",
"version": "24.0.1"
}
]
},
{
"product": "Oracle GraalVM for JDK",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "17.0.15"
},
{
"status": "affected",
"version": "21.0.7"
},
{
"status": "affected",
"version": "24.0.1"
}
]
},
{
"product": "Oracle GraalVM Enterprise Edition",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "21.3.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:enterprise_performance:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:11.0.27:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:17.0.15:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:21.0.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:24.0.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.15:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:24.0.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.3.14:*:*:*:enterprise:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:27:28.680Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2025-30749",
"datePublished": "2025-07-15T19:27:28.680Z",
"dateReserved": "2025-03-26T05:52:18.812Z",
"dateUpdated": "2026-02-26T17:50:38.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30754 (GCVE-0-2025-30754)
Vulnerability from cvelistv5 – Published: 2025-07-15 19:27 – Updated: 2025-11-03 19:47
VLAI
EPSS
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
- CWE-284 - Improper Access Control
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Oracle Corporation | Oracle Java SE |
Affected:
8u451
Affected: 8u451-perf Affected: 11.0.27 Affected: 17.0.15 Affected: 21.0.7 Affected: 24.0.1 |
|
| Oracle Corporation | Oracle GraalVM for JDK |
Affected:
17.0.15
Affected: 21.0.7 Affected: 24.0.1 |
|
| Oracle Corporation | Oracle GraalVM Enterprise Edition |
Affected:
21.3.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T15:31:20.330242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T15:31:23.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:47:58.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00014.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Oracle Java SE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "8u451"
},
{
"status": "affected",
"version": "8u451-perf"
},
{
"status": "affected",
"version": "11.0.27"
},
{
"status": "affected",
"version": "17.0.15"
},
{
"status": "affected",
"version": "21.0.7"
},
{
"status": "affected",
"version": "24.0.1"
}
]
},
{
"product": "Oracle GraalVM for JDK",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "17.0.15"
},
{
"status": "affected",
"version": "21.0.7"
},
{
"status": "affected",
"version": "24.0.1"
}
]
},
{
"product": "Oracle GraalVM Enterprise Edition",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "21.3.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:enterprise_performance:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:11.0.27:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:17.0.15:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:21.0.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:24.0.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.15:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:24.0.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.3.14:*:*:*:enterprise:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T21:55:29.340Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2025-30754",
"datePublished": "2025-07-15T19:27:30.751Z",
"dateReserved": "2025-03-26T05:52:18.813Z",
"dateUpdated": "2025-11-03T19:47:58.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30761 (GCVE-0-2025-30761)
Vulnerability from cvelistv5 – Published: 2025-07-15 20:49 – Updated: 2025-11-04 22:06
VLAI
EPSS
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Oracle Corporation | Oracle Java SE |
Affected:
8u451
Affected: 8u451-perf Affected: 11.0.27 |
|
| Oracle Corporation | Oracle GraalVM Enterprise Edition |
Affected:
21.3.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:43:46.281794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:43:49.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T22:06:34.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00011.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/16/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/24/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Oracle Java SE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "8u451"
},
{
"status": "affected",
"version": "8u451-perf"
},
{
"status": "affected",
"version": "11.0.27"
}
]
},
{
"product": "Oracle GraalVM Enterprise Edition",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "21.3.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:8u451:*:*:*:enterprise_performance:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:java_se:11.0.27:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.3.14:*:*:*:enterprise:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T20:49:26.919Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2025-30761",
"datePublished": "2025-07-15T20:49:26.919Z",
"dateReserved": "2025-03-26T05:52:18.814Z",
"dateUpdated": "2025-11-04T22:06:34.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41248 (GCVE-0-2025-41248)
Vulnerability from cvelistv5 – Published: 2025-09-16 10:10 – Updated: 2025-09-18 06:29
VLAI
EPSS
Title
CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types
Summary
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-289 - Authentication Bypass by Alternate Name
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| VMware | Spring Security |
Affected:
6.4.x , < 6.4.11
(OSS)
Affected: 6.5.x , < 6.5.5 (OSS) |
Date Public
2025-09-15 18:27
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:27:50.837990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289 Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:28:23.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Security",
"vendor": "VMware",
"versions": [
{
"lessThan": "6.4.11",
"status": "affected",
"version": "6.4.x",
"versionType": "OSS"
},
{
"lessThan": "6.5.5",
"status": "affected",
"version": "6.5.x",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-09-15T18:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using \u003ccode\u003e@PreAuthorize\u003c/code\u003e\u0026nbsp;and other method security annotations, resulting in an authorization bypass.\u003c/p\u003e\u003cp\u003eYour application may be affected by this if you are using Spring Security\u0027s \u003ccode\u003e@EnableMethodSecurity\u003c/code\u003e\u0026nbsp;feature.\u003c/p\u003e\u003cp\u003eYou are not affected by this if you are not using \u003ccode\u003e@EnableMethodSecurity\u003c/code\u003e\u0026nbsp;or if you do not use security annotations on methods in generic superclasses or generic interfaces.\u003c/p\u003e\u003cp\u003eThis CVE is published in conjunction with \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2025-41249\"\u003eCVE-2025-41249\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize\u00a0and other method security annotations, resulting in an authorization bypass.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T06:29:51.189Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-41248"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41248",
"datePublished": "2025-09-16T10:10:59.953Z",
"dateReserved": "2025-04-16T09:30:25.625Z",
"dateUpdated": "2025-09-18T06:29:51.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…