Skip to main content

IBM watsonx.data Intelligence CVE-2025-36323

| EUVDEUVD-2025-210380 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 ibm GHSA-8rwq-8258-xf52
5.4
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by authentication requirement; S:C reflects cross-browser-context script execution reaching the victim's session; C:L/I:L represent credential exposure and DOM manipulation without full system compromise; no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:19 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to inject arbitrary JavaScript into the Web UI, enabling credential theft or session hijacking against higher-privileged victims. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context, crossing trust boundaries within the platform. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; IBM has released a patch via advisory PSIRT.

Technical ContextAI

IBM watsonx.data Intelligence is an enterprise data lakehouse platform combining data cataloging, governance, and analytics capabilities within a web-based UI. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to sanitize or properly encode user-supplied input before rendering it in HTML contexts - a classic stored or reflected XSS root cause. The CVSS scope change (S:C) is technically significant: it confirms the malicious script executes in the victim's browser session rather than the application's own context, enabling cross-user credential exfiltration. The affected CPE (cpe:2.3:a:ibm:watsonx.data_intelligence) covers all enumerated versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0.

RemediationAI

Apply the vendor-released patch per IBM Security Bulletin at https://www.ibm.com/support/pages/node/7277801; the exact patched version number is not independently specified in available data and should be confirmed directly from the advisory. As a compensating control pending patching, enforce a strict Content Security Policy (CSP) header at the WAF or reverse proxy layer to block inline script execution - note that aggressive CSP rules may break legitimate UI functionality and must be tested in staging before broad rollout. Restrict Web UI access to the minimum required user population and audit low-privilege accounts with write access to UI-rendered fields. Enabling session anomaly detection can help identify credential exfiltration attempts.

Share

CVE-2025-36323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy