Skip to main content

IBM Engineering Workflow Management EUVDEUVD-2025-210300

| CVE-2025-33128 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 ibm GHSA-qx9x-w8gf-h8rf
5.4
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible stored XSS requires authenticated low-privilege submission (PR:L) and victim interaction (UI:R); scope changes (S:C) as injected script executes in another user's session context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 14:43 vuln.today

DescriptionCVE.org

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Stored cross-site scripting in IBM Engineering Workflow Management's Web UI enables an authenticated low-privileged attacker to inject arbitrary JavaScript that executes in the browser sessions of other users, including administrators, within the same trusted application context. Affected versions span 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007. The scope-changed CVSS vector (S:C) confirms that impact crosses the attacker's own session boundary, creating a realistic path to credential theft or session hijacking against higher-privileged users. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

IBM Engineering Workflow Management (EWM) is an enterprise Application Lifecycle Management (ALM) platform used for project planning, work item tracking, and software delivery. The affected CPE is cpe:2.3:a:ibm:engineering_workflow_management:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), meaning user-supplied input is reflected or stored in rendered HTML without adequate output encoding or sanitization. Because EWM is a collaborative web-based tool where multiple roles (developer, project lead, administrator) share a common interface, injected scripts submitted by a low-privileged user can execute in the higher-privileged context of any colleague who views the tampered page. The S:C scope change in the CVSS vector formally captures this cross-session impact.

RemediationAI

Apply the vendor-released patch as documented in IBM Security Advisory at https://www.ibm.com/support/pages/node/7276116 - the advisory covers both affected release lines (7.0.3 and 7.1). The exact patched interim fix version is not specified in the available intelligence beyond 'patch available from vendor'; consult the advisory directly to confirm the target IF level for each release train. If immediate patching is not feasible, restrict write access to EWM Web UI input fields (work item descriptions, comments, rich-text fields) to the minimum necessary user population, reducing the number of potential injection points. Additionally, review and enforce a strict Content Security Policy (CSP) header at the reverse proxy or load balancer layer if EWM is fronted by one - this can constrain script execution sources and limit XSS impact, though it does not remediate the underlying flaw. Note that CSP enforcement at the proxy layer may interfere with legitimate EWM UI functionality and should be tested thoroughly before production deployment.

CVE-2021-29844 HIGH
8.8 Oct 27

IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this

CVE-2021-29774 HIGH
7.5 Oct 27

IBM Jazz Team Server products could allow an authenticated user to obtain elevated privileges under certain configuratio

CVE-2021-20502 HIGH
7.1 Mar 30

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R

CVE-2021-29786 MEDIUM
6.5 Oct 27

IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. Rated me

CVE-2024-51454 MEDIUM
6.1 Jun 22

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 th

CVE-2024-28793 MEDIUM
5.4 May 28

IBM Engineering Workflow Management 7.0.2 and 7.0.3 is vulnerable to stored cross-site scripting. Rated medium severity

CVE-2021-29673 MEDIUM
5.4 Oct 27

IBM Jazz Team Server products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2021-20507 MEDIUM
5.4 Jul 19

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-20519 MEDIUM
5.4 Apr 12

IBM Jazz Team Server products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2021-20520 MEDIUM
5.4 Mar 30

IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2021-20518 MEDIUM
5.4 Mar 30

IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2021-20506 MEDIUM
5.4 Mar 30

IBM Jazz Foundation Products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerabilit

Share

EUVD-2025-210300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy