Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Stored XSS requires a victim to view the page (UI:R), and script execution in victim's browser constitutes a scope change (S:C); PR:L reflects mandatory authenticated injection.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AnalysisAI
Stored cross-site scripting in IBM TRIRIGA Application Platform 5.0.2 and 5.0.3 allows an authenticated low-privileged user to inject arbitrary JavaScript into the Web UI, which executes in the browser context of other users who view the affected page - enabling session hijacking and credential theft within trusted sessions. No public exploit code has been identified at time of analysis, and IBM has released a patch via their support advisory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated session on IBM TRIRIGA Application Platform (PR:L per CVSS vector) - anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) is noteworthy because UI:N is atypical for XSS - most stored XSS is rated UI:R since a victim must load the affected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated TRIRIGA user with minimal privileges - such as a facilities coordinator or read-write tenant account - navigates to a user-editable Web UI field (such as a work order description, asset note, or profile field) and submits a crafted payload containing malicious JavaScript. When a higher-privileged user such as a system administrator subsequently views the record containing the injected content, the script executes silently in their browser, exfiltrating their session token or credentials to an attacker-controlled endpoint. … |
| Remediation | Apply the vendor-released patch as described in IBM's support advisory at https://www.ibm.com/support/pages/node/7276076. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tririga Application Platform
View allThe builder tools in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 all
Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allow an
IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability that could allow an authenticated user to execute ac
The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to
Builder tools running in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allo
Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2
IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authentica
IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive information in error messages that could aid an att
IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high seve
IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when pro
Multiple cross-site request forgery (CSRF) vulnerabilities in IBM TRIRIGA Application Platform 2.x and 3.x before 3.3, a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38280
GHSA-h4m9-g3gq-cc2g