{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-33128", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T17:51:11.505Z", "datePublished": "2026-06-22T13:20:14.904Z", "dateUpdated": "2026-06-22T13:20:14.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-22T13:20:14.904Z"}, "title": "IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Engineering Workflow Management", "versions": [{"status": "affected", "version": "7.0.3", "lessThanOrEqual": "7.0.3 Interim Fix 020", "versionType": "semver"}, {"status": "affected", "version": "7.1.0", "lessThanOrEqual": "7.1 Interim Fix 007", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_020:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_workflow_management:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_007:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_007:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7276116", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Affected Product(s)Version(s)Remediation/Fix/Instructions\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.0.3Download and install\u00a0 iFix021 https://www.ibm.com/support/fixcentral/swg/downloadFixes \u00a0or later\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.1.0Download and install\u00a0 iFix008 https://www.ibm.com/support/fixcentral/swg/downloadFixes \u00a0or later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><table><tbody><tr><td>Affected Product(s)</td><td>Version(s)</td><td>Remediation/Fix/Instructions</td></tr><tr><td><p>IBM Engineering Lifecycle Management - Engineering Workflow Management</p></td><td>7.0.3</td><td>Download and install&nbsp;<a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management&amp;release=7.0.3&amp;platform=All&amp;function=fixId&amp;fixids=7.0.3-IBM-ELM-iFix021&amp;includeRequisites=0&amp;includeSupersedes=0&amp;downloadMethod=ddp\" rel=\"nofollow\">iFix021</a>&nbsp;or later</td></tr><tr><td><p>IBM Engineering Lifecycle Management - Engineering Workflow Management</p></td><td>7.1.0</td><td>Download and install&nbsp;<a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management&amp;release=7.1&amp;platform=All&amp;function=fixId&amp;fixids=7.1-IBM-ELM-iFix008&amp;includeRequisites=0&amp;includeSupersedes=0&amp;downloadMethod=ddp\" rel=\"nofollow\">iFix008</a>&nbsp;or later</td></tr></tbody></table></div>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0.3,7.0.3 Interim Fix 020]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.1.0,7.1 Interim Fix 007]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Engineering Workflow Management", "source": "cna", "vendor": "IBM"}, "product": "engineering_workflow_management", "vendor": "ibm"}], "created": "2026-06-22T14:30:05.337346+00:00", "updated": "2026-06-22T16:15:16.231329+00:00", "vendors": ["ibm", "ibm$PRODUCT$engineering_workflow_management"]}