Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AnalysisAI
IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.
Technical ContextAI
This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability affecting IBM Sterling Partner Engagement Manager, a B2B integration and supplier management platform (CPE: cpe:2.3:a:ibm:sterling_partner_engagement_manager:*:*:*:*:*:*:*:*). The vulnerability resides in the Web UI layer where user-supplied input is not properly sanitized or encoded before being rendered in the browser context. The affected versions (6.2.3.x and 6.2.4.x) indicate the flaw exists across multiple minor releases, suggesting a systemic input validation or output encoding deficiency in the UI framework. The XSS vector allows injection of JavaScript that executes in the security context of the authenticated session, bypassing same-origin protections via the SameSite cookie bypass potential (S:C in CVSS vector indicates changed scope).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208645