Skip to main content

IBM EUVDEUVD-2026-12067

| CVE-2026-0835 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 ibm
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 20, 2026 - 19:18 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-12067
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 18:57 nvd
MEDIUM 5.4

DescriptionCVE.org

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where user-supplied input is not properly sanitized before being rendered in the Web UI of IBM Sterling B2B Integrator and IBM Sterling File Gateway. The affected products (CPE identifiers: cpe:2.3:a:ibm:sterling_b2b_integrator and cpe:2.3:a:ibm:sterling_file_gateway) use web-based administration interfaces that fail to encode or filter special characters in user inputs, allowing attackers to break out of data contexts and inject script tags or event handlers. The vulnerability likely resides in template rendering or form processing logic where user-controlled parameters are directly embedded into HTML responses without proper output encoding.

RemediationAI

Immediately upgrade IBM Sterling B2B Integrator and IBM Sterling File Gateway to patched versions released by IBM for CVE-2026-0835; consult IBM's security advisory for the specific minimum safe version for your release line (typically the next available cumulative fix or service pack after the last vulnerable version listed). As an interim measure, restrict Web UI access to trusted IP ranges and specific user accounts, enforce multi-factor authentication for administrative users, and audit all Web UI activity logs for suspicious input patterns or JavaScript payloads. Implement a Web Application Firewall (WAF) with XSS signature detection to block obvious script injection attempts. Monitor for any evidence of credential harvesting or session hijacking in application logs and trading partner activity.

Share

EUVD-2026-12067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy