Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
AnalysisAI
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.
Technical ContextAI
This vulnerability is rooted in CWE-209 (Information Exposure Through an Error Message), a common weakness in web applications and APIs where verbose error handling reveals system internals, configuration details, stack traces, or other sensitive metadata. IBM Sterling Partner Engagement Manager is an enterprise partner management platform that processes sensitive business data through REST/SOAP APIs and web interfaces. The affected versions (6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2) fail to implement proper error message sanitization, likely in authentication handlers, API endpoints, or database interaction layers. When error conditions occur—such as malformed requests, failed authentication attempts, or backend service failures—the application returns unfiltered exception details to any network-accessible endpoint, violating secure coding practices that require environment-appropriate error responses (generic messages for untrusted clients, detailed logs only in secure backend channels).
RemediationAI
Upgrade IBM Sterling Partner Engagement Manager to a patched version released after 6.2.4.2 (IBM will provide specific version numbers in the official security advisory). Until patching is possible, implement network-level controls by restricting access to Sterling Partner Engagement Manager endpoints to trusted internal subnets or VPN users only, and deploy a Web Application Firewall (WAF) to suppress or sanitize error responses. Additionally, enable comprehensive logging and monitoring of error responses to detect reconnaissance activity, and configure the application to return generic error messages ('An error occurred. Contact support.') rather than detailed exception details by modifying the application's error handling configuration as documented in the Sterling Partner Engagement Manager administration guide.
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 could allow a remote attacker to hijack the clicking action
IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized action
IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 do not limit the length of a connection which could cau
IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processi
IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. Rated medi
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. Rated medium s
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to cross-site scripting. Rated medium severity
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authenti
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208651