Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-accessible stored XSS requires authenticated low-privilege submission (PR:L) and victim interaction (UI:R); scope changes (S:C) as injected script executes in another user's session context.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AnalysisAI
Stored cross-site scripting in IBM Engineering Workflow Management's Web UI enables an authenticated low-privileged attacker to inject arbitrary JavaScript that executes in the browser sessions of other users, including administrators, within the same trusted application context. Affected versions span 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007. The scope-changed CVSS vector (S:C) confirms that impact crosses the attacker's own session boundary, creating a realistic path to credential theft or session hijacking against higher-privileged users. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
IBM Engineering Workflow Management (EWM) is an enterprise Application Lifecycle Management (ALM) platform used for project planning, work item tracking, and software delivery. The affected CPE is cpe:2.3:a:ibm:engineering_workflow_management:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), meaning user-supplied input is reflected or stored in rendered HTML without adequate output encoding or sanitization. Because EWM is a collaborative web-based tool where multiple roles (developer, project lead, administrator) share a common interface, injected scripts submitted by a low-privileged user can execute in the higher-privileged context of any colleague who views the tampered page. The S:C scope change in the CVSS vector formally captures this cross-session impact.
RemediationAI
Apply the vendor-released patch as documented in IBM Security Advisory at https://www.ibm.com/support/pages/node/7276116 - the advisory covers both affected release lines (7.0.3 and 7.1). The exact patched interim fix version is not specified in the available intelligence beyond 'patch available from vendor'; consult the advisory directly to confirm the target IF level for each release train. If immediate patching is not feasible, restrict write access to EWM Web UI input fields (work item descriptions, comments, rich-text fields) to the minimum necessary user population, reducing the number of potential injection points. Additionally, review and enforce a strict Content Security Policy (CSP) header at the reverse proxy or load balancer layer if EWM is fronted by one - this can constrain script execution sources and limit XSS impact, though it does not remediate the underlying flaw. Note that CSP enforcement at the proxy layer may interfere with legitimate EWM UI functionality and should be tested thoroughly before production deployment.
IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this
IBM Jazz Team Server products could allow an authenticated user to obtain elevated privileges under certain configuratio
IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R
IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. Rated me
IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 th
IBM Engineering Workflow Management 7.0.2 and 7.0.3 is vulnerable to stored cross-site scripting. Rated medium severity
IBM Jazz Team Server products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabili
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4
IBM Jazz Team Server products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabili
IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit
IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit
IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210300
GHSA-qx9x-w8gf-h8rf