FKIE_CVE-2025-33128
Vulnerability from fkie_nvd - Published: 2026-06-22 14:16 - Updated: 2026-06-26 20:20
Severity
Summary
IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/7276116 | Vendor Advisory |
Impacted products
{
"affected": [
{
"affectedData": [
{
"cpes": [
"cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_020:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_007:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_007:*:*:*:*:*:*"
],
"product": "Engineering Workflow Management",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "7.0.3 Interim Fix 020",
"status": "affected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1 Interim Fix 007",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
}
]
}
],
"source": "psirt@us.ibm.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:-:*:*:*:*:*:*",
"matchCriteriaId": "3CB2A4A5-05AB-4591-BC17-508B6CC52D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix001:*:*:*:*:*:*",
"matchCriteriaId": "AC3523E9-2176-4F06-89DE-B9E39A8B5DFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix002:*:*:*:*:*:*",
"matchCriteriaId": "2856B724-9102-453D-92D9-D6960D723EEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix003:*:*:*:*:*:*",
"matchCriteriaId": "9F016ABC-BE79-4979-9A80-777F0D02615F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix004:*:*:*:*:*:*",
"matchCriteriaId": "B9FC1B96-18D3-4E17-A9F1-B020F0D72590",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix005:*:*:*:*:*:*",
"matchCriteriaId": "936271E0-3CF6-43CE-81D2-C7B0BEB7BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix006:*:*:*:*:*:*",
"matchCriteriaId": "D34862FD-AE18-46FE-B4E6-AC639120774D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix007:*:*:*:*:*:*",
"matchCriteriaId": "3C3C127B-9AF2-4B7A-ACEE-9A2875CBAE99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix008:*:*:*:*:*:*",
"matchCriteriaId": "181B8EF5-E34B-41EF-AE2D-3C202D4C88EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix009:*:*:*:*:*:*",
"matchCriteriaId": "5C8113D3-4934-4551-84BD-FC0A6489F82C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix010:*:*:*:*:*:*",
"matchCriteriaId": "8BE8D6E5-C897-4C58-BE03-C26B4D3C6494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix011:*:*:*:*:*:*",
"matchCriteriaId": "BF1CFB7F-F8EB-4D71-8765-07CE49D31189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix012:*:*:*:*:*:*",
"matchCriteriaId": "38A55F98-2982-43E1-AE01-37B423C9B481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix013:*:*:*:*:*:*",
"matchCriteriaId": "174815C1-90FD-4947-9EB7-9BF713DCD3D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix014:*:*:*:*:*:*",
"matchCriteriaId": "FA3149F4-EF4C-46F6-8DAF-C9217CF16F59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix015:*:*:*:*:*:*",
"matchCriteriaId": "3C23BE8B-1492-40F2-A218-CF85A754D4FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix016:*:*:*:*:*:*",
"matchCriteriaId": "11CFA2C9-C485-4780-A04C-FA39E7E7A3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix017:*:*:*:*:*:*",
"matchCriteriaId": "05C3B457-57A8-4DA9-A95E-5D198974A0B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix018:*:*:*:*:*:*",
"matchCriteriaId": "F407A290-B204-4B18-84C0-A598E56F0EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix019:*:*:*:*:*:*",
"matchCriteriaId": "7EDBEFA2-B476-4711-8153-214D566875D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:ifix020:*:*:*:*:*:*",
"matchCriteriaId": "CEC9F849-AF2B-40DB-992A-090605B078F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "7FAE09FF-371A-4B02-A837-40149E773AE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix001:*:*:*:*:*:*",
"matchCriteriaId": "E153E7C3-A2A5-4757-9684-3DCBCE05B9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix002:*:*:*:*:*:*",
"matchCriteriaId": "0B0984C6-0E92-4493-B0A2-40BC0888F2FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix003:*:*:*:*:*:*",
"matchCriteriaId": "F62B6927-F717-499A-8EC3-900AC06A3DF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix004:*:*:*:*:*:*",
"matchCriteriaId": "0883E0E8-8E67-44B8-B0D8-E6D55306B319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix005:*:*:*:*:*:*",
"matchCriteriaId": "2CACCEE4-0346-44B0-ACF8-270F70D8B316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix006:*:*:*:*:*:*",
"matchCriteriaId": "57CE388F-D826-4EFC-BBBA-E539FE69361A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:ifix007:*:*:*:*:*:*",
"matchCriteriaId": "E4C0BF7F-D922-49C3-B62C-F904EB1DBCA6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"id": "CVE-2025-33128",
"lastModified": "2026-06-26T20:20:31.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-33128",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:05:03.637720Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-22T14:16:22.910",
"references": [
{
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ibm.com/support/pages/node/7276116"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@us.ibm.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…