Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session
AnalysisAI
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure in the Web UI input validation and output encoding mechanisms. The affected product is IBM InfoSphere Information Server (cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*), a data integration and governance platform that processes user-supplied data in web forms and displays it without proper sanitization or HTML/JavaScript encoding. The vulnerability exists in versions 11.7.0.0 through 11.7.1.6, indicating the flaw was introduced or persisted across multiple minor versions. Attackers can inject malicious scripts through vulnerable input fields that are subsequently reflected in responses or stored in the application's state, causing execution in the context of other users' browsers when those pages are rendered.
RemediationAI
Apply the security patch provided by IBM available at https://www.ibm.com/support/pages/node/7266764. Upgrade IBM InfoSphere Information Server to a patched version, which should be version 11.7.1.7 or later, or jump to the next major version if available. Until patches can be applied, implement network segmentation to restrict access to the InfoSphere Web UI to trusted internal networks only, enforce strong authentication policies and session management to reduce the window of opportunity for XSS exploitation, and conduct user security awareness training to reduce susceptibility to social engineering attacks that leverage XSS payloads. Consider deploying a Web Application Firewall (WAF) configured to detect and block common XSS payloads in HTTP requests to the affected application.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15984
GHSA-2g5g-hcgh-q3rp